CVE-2026-33386
Cross-Site Scripting in QuickCMS via MITM Plugin Fetch
Publication date: 2026-05-29
Last updated on: 2026-05-29
Assigner: CERT.PL
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| opensolution | quickcms | to 6.8 (inc) |
| opensolution | quickcms | From 6.8 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
QuickCMS is vulnerable to Cross-Site Scripting (XSS) due to its insecure HTTP-based plugin-fetching mechanism.
An attacker can perform a Man-in-the-Middle (MITM) attack by impersonating the opensolution.org server and serving malicious HTML or JavaScript at the plugin list endpoint.
When a user accesses the plugin page, the malicious content is automatically fetched, rendered, and executed in the user's browser.
How can this vulnerability impact me? :
This vulnerability allows an attacker to inject and execute arbitrary HTML or JavaScript code in the context of the QuickCMS plugin page.
Such an attack can lead to unauthorized actions performed on behalf of the user, theft of sensitive information, session hijacking, or other malicious activities.
The attack requires the attacker to be able to intercept and modify network traffic between the user and the plugin server (MITM).
What immediate steps should I take to mitigate this vulnerability?
The vulnerability in QuickCMS is fixed in version 6.8, which was published on 15.05.2026.
To mitigate this vulnerability immediately, you should update your QuickCMS deployment to version 6.8 or later.
Until the patch is applied, avoid accessing the plugin page over insecure networks where a Man-in-the-Middle attack could be performed.