Description
QuickCMS is vulnerable to Cross-Site Request Forgery across multiple endpoints. An attacker can craft special website, which when visited by the victim, will automatically send a POST request with victim's privileges.
This software does not implement any protection against this type of attack. All forms available in this software are potentially vulnerable.

The vendor was notified early about this vulnerability, but didn't respond with the details of vulnerability or vulnerable version range. Only version 6.8 was tested and confirmed as vulnerable, other versions were not tested and might also be vulnerable.
Published: 2026-03-06
Score: 5.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Cross‑Site Request Forgery leading to unauthorized actions with victim privileges
Action: Apply Fix
AI Analysis

Impact

QuickCMS lacks CSRF protection on multiple endpoints. Based on the description, an attacker can craft a web page that automatically submits POST requests on behalf of a user who is logged in. The flaw follows CWE‑352. While the advisory does not explicitly state it, it is inferred that the attacker could perform any actions the victim can, such as editing or deleting content, directly from the victim’s browser.

Affected Systems

OpenSolution QuickCMS is affected. Version 6.8 has been confirmed vulnerable; other releases have not been tested but may also be susceptible.

Risk and Exploitability

The vulnerability carries a CVSS score of 5.1, indicating moderate impact. The EPSS score is below 1 %, indicating a low current likelihood of exploitation, and it is not listed in the CISA KEV catalog. The likely attack vector is a social engineering or phishing scenario where the victim visits a malicious site while logged into the CMS; this inference is based on the description of the payload being automatically sent with the victim’s privileges.

Generated by OpenCVE AI on April 18, 2026 at 17:29 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Check for and apply any QuickCMS update that addresses CSRF weaknesses when available.
  • Deploy server‑side CSRF tokens on all dynamic forms and validate them for every state‑changing request.
  • Configure a web application firewall to block or rate‑limit POST requests that do not contain a valid CSRF token or originate from unexpected referrers.

Generated by OpenCVE AI on April 18, 2026 at 17:29 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 09 Mar 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 09 Mar 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Opensolution
Opensolution quick.cms
Vendors & Products Opensolution
Opensolution quick.cms

Fri, 06 Mar 2026 11:15:00 +0000

Type Values Removed Values Added
Description QuickCMS is vulnerable to Cross-Site Request Forgery across multiple endpoints. An attacker can craft special website, which when visited by the victim, will automatically send a POST request with victim's privileges. This software does not implement any protection against this type of attack. All forms available in this software are potentially vulnerable. The vendor was notified early about this vulnerability, but didn't respond with the details of vulnerability or vulnerable version range. Only version 6.8 was tested and confirmed as vulnerable, other versions were not tested and might also be vulnerable.
Title Cross-Site Request Forgery in QuickCMS
Weaknesses CWE-352
References
Metrics cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Opensolution Quick.cms
cve-icon MITRE

Status: PUBLISHED

Assigner: CERT-PL

Published:

Updated: 2026-03-09T21:04:31.809Z

Reserved: 2026-01-27T08:08:29.063Z

Link: CVE-2026-1468

cve-icon Vulnrichment

Updated: 2026-03-09T20:58:08.298Z

cve-icon NVD

Status : Deferred

Published: 2026-03-06T11:16:08.613

Modified: 2026-04-27T19:22:08.623

Link: CVE-2026-1468

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T17:30:05Z

Weaknesses