Stored XSS Vulnerability in QuickCMS Language Editor
CVE-2025-10018

4.8MEDIUM

Key Information:

Vendor: Opensolution
Status: Quickcms
Vendor: CVE Published:; 14 November 2025

🔔 Create Opensolution Vulnerability Alert

What is CVE-2025-10018?

QuickCMS has a security flaw involving stored Cross-Site Scripting (XSS) in its language editor feature. This vulnerability can be exploited by an attacker with admin privileges, enabling the injection of arbitrary HTML and JavaScript code. Once injected, the malicious scripts are executed on every page viewed by users. Although the vendor was notified of this issue, they did not provide any specifics regarding the affected versions. Initial tests confirmed that version 6.8 is vulnerable, but other versions may also be at risk.

Affected Version(s)

QuickCMS 6.8

References

https://cert.pl/posts/2025/11/CVE-2025-9982

third-party-advisory

https://opensolution.org/cms-system-quick-cms.html

product

CVSS V4

Score:

4.8

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Nov 14, 2025
Vulnerability Reserved
Sep 5, 2025

Credit

Karol Czubernat

JSON