CVE List

CVE-2026-21641

Moderate 6.5

HackerOne community member Jad Ghamloush (0xjad) has reported an authorization bypass vulnerability in the `tracker-delete.php` script of Revive Adserver. Users with permissions to delete trackers are mistakenly allowed to delete trackers owned by other accounts.

Published January 20, 2026.

Affected software

Aquaplatform Revive Adserver

Get alerts for Aquaplatform Revive Adserver

Reference links