Description
Quick.CMS 6.7 contains a cross-site scripting vulnerability in the sliders form that allows authenticated attackers to inject malicious scripts by submitting XSS payloads through the sDescription parameter. Attackers can craft CSRF forms targeting the admin.php?p=sliders-form endpoint to execute arbitrary JavaScript in victim browsers when the form is submitted.
Published: 2026-05-16
Score: 5.1 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Quick.CMS 6.7 contains a cross‑site scripting flaw in the sliders form that occurs when an attacker, who is already authenticated as an administrator, submits malicious content through the sDescription field. The flaw allows arbitrary JavaScript to execute in the victim’s browser at the moment the form is submitted. This client‑side execution can affect the user's session and data while interacting with the page.

Affected Systems

The vulnerability is limited to OpenSolution’s Quick.CMS application, specifically version 6.7. CPE entries also list version 6.8, but the description references only 6.7, so installations of Quick.CMS 6.7 are confirmed to be affected.

Risk and Exploitability

The CVSS score of 5.1 places the issue in the medium‑severity range. EPSS is not available, indicating an unknown exploitation probability at this time. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires the attacker to be authenticated as an administrator and to deliver the payload via a CSRF form targeting the admin.php?p=sliders-form endpoint. The attack vector is therefore CSRF from a trusted session.

Generated by OpenCVE AI on May 16, 2026 at 17:05 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Quick.CMS to the latest stable release that addresses the CSRF XSS issue.
  • If an upgrade is not immediately possible, implement server‑side sanitation of the sDescription input to reject or escape script tags before rendering.
  • Configure the application to require a CSRF token for form submissions, particularly for the admin.php?p=sliders-form endpoint, to prevent automated injection.

Generated by OpenCVE AI on May 16, 2026 at 17:05 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 16 May 2026 15:45:00 +0000

Type Values Removed Values Added
Description Quick.CMS 6.7 contains a cross-site scripting vulnerability in the sliders form that allows authenticated attackers to inject malicious scripts by submitting XSS payloads through the sDescription parameter. Attackers can craft CSRF forms targeting the admin.php?p=sliders-form endpoint to execute arbitrary JavaScript in victim browsers when the form is submitted.
Title Quick.CMS 6.7 Cross-Site Scripting via CSRF to Sliders Form
First Time appeared Opensolution
Opensolution quick.cms
Opensolution quick.cms.ext
Weaknesses CWE-79
CPEs cpe:2.3:a:opensolution:quick.cms.ext:6.8:*:*:*:*:*:*:*
cpe:2.3:a:opensolution:quick.cms:6.7:*:*:*:*:*:*:*
Vendors & Products Opensolution
Opensolution quick.cms
Opensolution quick.cms.ext
References
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}

cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N'}

Subscriptions

Opensolution Quick.cms Quick.cms.ext
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-05-16T15:26:20.799Z

Reserved: 2026-05-16T14:53:34.220Z

Link: CVE-2021-47981

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-16T16:16:23.753

Modified: 2026-05-16T16:16:23.753

Link: CVE-2021-47981

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-16T17:15:26Z

Weaknesses