CVE-2026-21640 — HackerOne community member Faraz Ahmed (PakCyberbot) has reported a format string injection in the Revive Adserver settings. When specific character combinations are used in a setting, the admin user — CVE Database · The Intelligence Room