CVE-2026-33384
Deferred Deferred - Pending Action
Session Fixation in QuickCMS

Publication date: 2026-05-29

Last updated on: 2026-05-29

Assigner: CERT.PL

Description
QuickCMS allows a user's session identifier to be set before authentication. The value of this session ID stays the same after authentication. This behaviour enables an attacker to fix a session ID for a victim and later hijack the authenticated session. This issue was fixed in a patch to version 6.8 published on 15.05.2026, deployments without this patch are still vulnerable.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-29
Last Modified
2026-05-29
Generated
2026-06-19
AI Q&A
2026-05-30
EPSS Evaluated
2026-06-18
NVD
CVE-2026-33384
EUVD
EUVD-2026-33338
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
quickcms quickcms 6.8
quickcms quickcms to 6.8 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-384 Authenticating a user, or otherwise establishing a new user session, without invalidating any existing session identifier gives an attacker the opportunity to steal authenticated sessions.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The vulnerability in QuickCMS allows an attacker to hijack authenticated user sessions by fixing the session ID before authentication. This can lead to unauthorized access to user data.

Such unauthorized access risks violating data protection regulations like GDPR and HIPAA, which require safeguarding personal and sensitive information against unauthorized disclosure or access.

Therefore, deployments of QuickCMS without the patch fixing this issue may be non-compliant with these standards due to the increased risk of session hijacking and potential data breaches.

Executive Summary

This vulnerability in QuickCMS is a Session Fixation attack. It allows an attacker to set a user's session identifier before the user authenticates. The session ID remains the same after the user logs in, enabling the attacker to fix a session ID for the victim and later hijack the authenticated session.

Impact Analysis

The vulnerability can allow an attacker to hijack a victim's authenticated session by fixing the session ID before login. This means the attacker can gain unauthorized access to the victim's account and perform actions with the victim's privileges.

Mitigation Strategies

To mitigate this vulnerability, you should update QuickCMS to version 6.8 or later, as the issue was fixed in the patch published on 15.05.2026.

Systems running versions older than 6.8 remain vulnerable and should be upgraded as soon as possible to prevent session fixation attacks.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-33384. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart