VYPR
← All advisories
Medium severityNVD Advisory· Published May 29, 2026· Updated May 29, 2026

CVE-2026-33384

CVE-2026-33384

Description

QuickCMS allows a user's session identifier to be set before authentication. The value of this session ID stays the same after authentication. This behaviour enables an attacker to fix a session ID for a victim and later hijack the authenticated session.

This issue was fixed in a patch to version 6.8 published on 15.05.2026, deployments without this patch are still vulnerable.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

QuickCMS session fixation allows attackers to hijack authenticated sessions by pre-setting a session ID before login.

Vulnerability

QuickCMS versions up to and including 6.8 (prior to the patch released on 15 May 2026) suffer from a session fixation vulnerability (CWE-384). The application allows a user's session identifier to be set before authentication, and that same session ID persists after login. This means an attacker can pre-set a known session ID for a victim and later use it to hijack the authenticated session. [1]

Exploitation

An attacker needs to be able to set the victim's session ID, typically by crafting a link that includes a specific session ID parameter (e.g., PHPSESSID) and luring the victim to click it. No authentication is required for the initial step. Once the victim authenticates on the attacker-chosen session, the attacker can use the same session ID to access the victim's authenticated session without needing credentials. [1]

Impact

Successful exploitation allows the attacker to hijack the victim's authenticated session, gaining access to the victim's account and any associated data or functionality. This can lead to unauthorized actions, data disclosure, or privilege escalation depending on the victim's role. [1]

Mitigation

The vulnerability is fixed in QuickCMS version 6.8 with the patch released on 15 May 2026. Users should update to the patched version immediately. Deployments without this patch remain vulnerable. [1][2] No workaround is mentioned in the available references.

References
  1. Podatności w oprogramowaniu QuickCMS
  2. Free shopping cart and content management system (CMS)

AI Insight generated on May 29, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

1

Patches

0

No patches discovered yet.

Vulnerability mechanics

No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.

References

2

News mentions

0

No linked articles in our index yet.