Description
QuickCMS is vulnerable to Cross-Site Scripting (XSS) through its insecure HTTP-based plugin‑fetching mechanism. A malicious attacker can perform a Man‑in‑the‑Middle (MITM) attack by impersonating the opensolution.org server and serving arbitrary HTML or JavaScript at the plugin list endpoint. When a user accesses the plugin page, the malicious content is automatically fetched, rendered, and executed.


This issue was fixed in a patch to version 6.8 published on 15.05.2026, deployments without this patch are still vulnerable.
Published: 2026-05-29
Score: 2.3 Low
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

QuickCMS contains an XSS flaw in its HTTP‑based plugin‑fetching mechanism. A remote attacker can impersonate the official opensolution.org server and serve malicious HTML or JavaScript at the plugin list endpoint. When a legitimate user visits the plugin page, the attacker’s payload is automatically fetched, rendered and executed in the user’s browser, potentially allowing the attacker to steal session cookies, alter page content or perform further client‑side attacks.

Affected Systems

The vulnerability affects deployments of OpenSolution QuickCMS that have not applied the patch for version 6.8 released on 15.05.2026. All earlier or unpatched releases are susceptible.

Risk and Exploitability

The CVSS score is 2.3, indicating low severity. EPSS information is not available, and the vulnerability is not listed in CISA’s KEV catalog. Exploitation requires network connectivity and a victim who accesses the plugin page, making the attack vector likely a Man‑in‑the‑Middle scenario on the traffic between a user’s browser and the plugin server. The risk is confined to client‑side impact such as XSS but can be leveraged for phishing or credential theft.

Generated by OpenCVE AI on May 29, 2026 at 17:38 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the QuickCMS 6.8 patch or later that fixes the plugin‑fetching vulnerability
  • If immediate patching is not possible, disable or block the plugin‑listing endpoint so that no external content is fetched
  • Enforce HTTPS for all communications with the plugin server to prevent MITM tampering

Generated by OpenCVE AI on May 29, 2026 at 17:38 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 29 May 2026 19:30:00 +0000

Type Values Removed Values Added
First Time appeared Opensolution
Opensolution quick.cms
Vendors & Products Opensolution
Opensolution quick.cms
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 29 May 2026 16:15:00 +0000

Type Values Removed Values Added
Description QuickCMS is vulnerable to Cross-Site Scripting (XSS) through its insecure HTTP-based plugin‑fetching mechanism. A malicious attacker can perform a Man‑in‑the‑Middle (MITM) attack by impersonating the opensolution.org server and serving arbitrary HTML or JavaScript at the plugin list endpoint. When a user accesses the plugin page, the malicious content is automatically fetched, rendered, and executed. This issue was fixed in a patch to version 6.8 published on 15.05.2026, deployments without this patch are still vulnerable.
Title XSS in QuickCMS
Weaknesses CWE-79
References
Metrics cvssV4_0

{'score': 2.3, 'vector': 'CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N'}

Subscriptions

Opensolution Quick.cms
cve-icon MITRE

Status: PUBLISHED

Assigner: CERT-PL

Published:

Updated: 2026-05-29T17:31:36.344Z

Reserved: 2026-03-19T10:45:47.736Z

Link: CVE-2026-33386

cve-icon Vulnrichment

Updated: 2026-05-29T17:31:32.731Z

cve-icon NVD

Status : Deferred

Published: 2026-05-29T16:16:25.560

Modified: 2026-05-29T16:29:11.350

Link: CVE-2026-33386

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-29T19:15:05Z

Weaknesses