cbcvebase.
CVE-2026-33384
published 2026-05-29

CVE-2026-33384: QuickCMS allows a user's session identifier to be set before authentication. The value of this session ID stays the same after authentication. This behaviour…

PriorityP422medium4.8CVSS 4.0
AVLACLATNPRNUIPVCLVILVANSCNSINSANEXCRXIRXARXMAVXMACXMATXMPRXMUIXMVCXMVIXMVAXMSCXMSIXMSAXSXAUXRXVXREXUX
EPSS
0.15%
4.9th percentile
QuickCMS allows a user's session identifier to be set before authentication. The value of this session ID stays the same after authentication. This behaviour enables an attacker to fix a session ID for a victim and later hijack the authenticated session. This issue was fixed in a patch to version 6.8 published on 15.05.2026, deployments without this patch are still vulnerable.

Affected

1 ranges
VendorProductVersion rangeFixed in
opensolutionquickcms<= 6.8
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.