Cross-Site Scripting Vulnerability in QuickCMS by OpenSolution
CVE-2026-33386

2.3LOW

Key Information:

Vendor: Opensolution
Status: Quickcms
Vendor: CVE Published:; 29 May 2026

🔔 Create Opensolution Vulnerability Alert

What is CVE-2026-33386?

QuickCMS exhibits a vulnerability related to Cross-Site Scripting due to its insecure HTTP plugin-fetching mechanism. Attackers can potentially execute Man-in-the-Middle (MITM) attacks by pretending to be the opensolution.org server. This allows them to inject malicious HTML or JavaScript into the plugin list endpoint. Users accessing the plugin page unknowingly fetch, render, and execute the harmful content, which can lead to a range of security breaches. A patch addressing this issue was released in version 6.8 on May 15, 2026, meaning systems that have not implemented this update remain at risk.

Affected Version(s)

QuickCMS 0 <= 6.8

References

https://cert.pl/posts/2026/05/CVE-2026-33384/

third-party-advisory

https://opensolution.org/home.html

product

CVSS V4

Score:

2.3

Severity:

LOW

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Adjacent Network

Attack Complexity:

Low

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 29, 2026
Vulnerability Reserved
Mar 19, 2026

Credit

Jakub Lipiński

CVE-2026-33386 Data

JSON