| CVE ID | CVE-2026-33384 |
| Publication date | 29 May 2026 |
| Vendor | OpenSolution |
| Product | QuickCMS |
| Vulnerable versions | All through 6.8 until patch published on 15.05.2026 |
| Vulnerability type (CWE) | Session Fixation (CWE-384) |
| Report source | Report to CERT Polska |
| CVE ID | CVE-2026-33386 |
| Publication date | 29 May 2026 |
| Vendor | OpenSolution |
| Product | QuickCMS |
| Vulnerable versions | All through 6.8 until patch published on 15.05.2026 |
| Vulnerability type (CWE) | Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') (CWE-79) |
| Report source | Report to CERT Polska |
Description
CERT Polska has received a report about vulnerabilities in QuickCMS software and participated in coordination of their disclosure.
The vulnerability CVE-2026-33384: QuickCMS allows a user's session identifier to be set before authentication. The value of this session ID stays the same after authentication. This behaviour enables an attacker to fix a session ID for a victim and later hijack the authenticated session.
The vulnerability CVE-2026-33386: QuickCMS is vulnerable to Cross-Site Scripting (XSS) through its insecure HTTP-based plugin‑fetching mechanism. A malicious attacker can perform a Man‑in‑the‑Middle (MITM) attack by impersonating the opensolution.org server and serving arbitrary HTML or JavaScript at the plugin list endpoint. When a user accesses the plugin page, the malicious content is automatically fetched, rendered, and executed.
These issues were fixed in a patch to version 6.8 published on 15.05.2026, deployments without this patch are still vulnerable.
Credits
We thank Jakub Lipiński for the responsible vulnerability report.
More about the coordinated vulnerability disclosure process at CERT Polska can be found at https://cert.pl/en/cvd/.