CVE-2026-33386

UNKNOWN 0.0

XSS in QuickCMS

CVSS Score

0.0

EPSS Score

0.0%

EPSS Percentile

0th

QuickCMS is vulnerable to Cross-Site Scripting (XSS) through its insecure HTTP-based plugin‑fetching mechanism. A malicious attacker can perform a Man‑in‑the‑Middle (MITM) attack by impersonating the opensolution.org server and serving arbitrary HTML or JavaScript at the plugin list endpoint. When a user accesses the plugin page, the malicious content is automatically fetched, rendered, and executed. This issue was fixed in a patch to version 6.8 published on 15.05.2026, deployments without this patch are still vulnerable.

CWE	CWE-79
Vendor	opensolution
Product	quickcms
Published	May 29, 2026
Last Updated	May 29, 2026

Stay Ahead of the Next One

Get instant alerts for opensolution quickcms

Be the first to know when new unknown vulnerabilities affecting opensolution quickcms are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

OpenSolution / QuickCMS

0 ≤ 6.8

References

NVD ↗ CVE.org ↗ EPSS Data ↗

cert.pl: https://cert.pl/posts/2026/05/CVE-2026-33384/ opensolution.org: https://opensolution.org/home.html

Credits

Jakub Lipiński