Session Fixation Vulnerability in QuickCMS by OpenSolution
CVE-2026-33384

4.8MEDIUM

Key Information:

Vendor: Opensolution
Status: Quickcms
Vendor: CVE Published:; 29 May 2026

🔔 Create Opensolution Vulnerability Alert

What is CVE-2026-33384?

QuickCMS has a vulnerability that permits the user's session identifier to be established prior to authentication. This session ID remains unchanged even after the user has been authenticated. As a result, attackers can set a predefined session ID for an unsuspecting victim, ultimately allowing them to hijack the victim's authenticated session. This issue was addressed in a patch released with version 6.8 on 15.05.2026. Instances running earlier versions, including 6.7 and below, without this patch remain susceptible to exploitation.

Affected Version(s)

QuickCMS 0 <= 6.8

References

https://cert.pl/posts/2026/05/CVE-2026-33384/

third-party-advisory

https://opensolution.org/home.html

product

CVSS V4

Score:

4.8

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

None

Attack Vector:

Local

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 29, 2026
Vulnerability Reserved
Mar 19, 2026

Credit

Jakub Lipiński

CVE-2026-33384 Data

JSON