CVE-2026-33386
published 2026-05-29CVE-2026-33386: QuickCMS is vulnerable to Cross-Site Scripting (XSS) through its insecure HTTP-based plugin‑fetching mechanism. A malicious attacker can perform a…
PriorityP415low2.3CVSS 4.0
AVAACLATPPRNUINVCNVINVANSCLSILSANEXCRXIRXARXMAVXMACXMATXMPRXMUIXMVCXMVIXMVAXMSCXMSIXMSAXSXAUXRXVXREXUX
EPSS
0.18%
8.3th percentile
QuickCMS is vulnerable to Cross-Site Scripting (XSS) through its insecure HTTP-based plugin‑fetching mechanism. A malicious attacker can perform a Man‑in‑the‑Middle (MITM) attack by impersonating the opensolution.org server and serving arbitrary HTML or JavaScript at the plugin list endpoint. When a user accesses the plugin page, the malicious content is automatically fetched, rendered, and executed.
This issue was fixed in a patch to version 6.8 published on 15.05.2026, deployments without this patch are still vulnerable.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| opensolution | quickcms | <= 6.8 | — |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-wq6v-xp72-v7h5: QuickCMS is vulnerable to Cross-Site Scripting (XSS) through its insecure HTTP-based plugin‑fetching mechanism
ghsa_unreviewed·2026-05-29
CVE-2026-33386 [LOW] CWE-79 GHSA-wq6v-xp72-v7h5: QuickCMS is vulnerable to Cross-Site Scripting (XSS) through its insecure HTTP-based plugin‑fetching mechanism
QuickCMS is vulnerable to Cross-Site Scripting (XSS) through its insecure HTTP-based plugin‑fetching mechanism. A malicious attacker can perform a Man‑in‑the‑Middle (MITM) attack by impersonating the opensolution.org server and serving arbitrary HTML or JavaScript at the plugin list endpoint. When a user accesses the plugin page, the malicious content is automatically fetched, rendered, and executed.
This issue was fixed in a patch to version 6.8 published on 15.05.2026, deployments without this patch are still vulnerable.
VulDB
OpenSolution QuickCMS up to 6.8 Plugin List Endpoint cross site scripting
vuldb·2026-05-29·CVSS 2.3
CVE-2026-33386 [LOW] OpenSolution QuickCMS up to 6.8 Plugin List Endpoint cross site scripting
A vulnerability labeled as problematic has been found in OpenSolution QuickCMS up to 6.8. The impacted element is an unknown function of the component Plugin List Endpoint. Such manipulation leads to cross site scripting.
This vulnerability is documented as CVE-2026-33386. The attack can be executed remotely. There is not any exploit available.
It is best practice to apply a patch to resolve this issue.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-05-29
Published