CVE-2026-33386
Description
QuickCMS is vulnerable to Cross-Site Scripting (XSS) through its insecure HTTP-based plugin‑fetching mechanism. A malicious attacker can perform a Man‑in‑the‑Middle (MITM) attack by impersonating the opensolution.org server and serving arbitrary HTML or JavaScript at the plugin list endpoint. When a user accesses the plugin page, the malicious content is automatically fetched, rendered, and executed.
This issue was fixed in a patch to version 6.8 published on 15.05.2026, deployments without this patch are still vulnerable.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
An insecure HTTP-based plugin-fetching mechanism in QuickCMS allows MITM attackers to inject arbitrary XSS content.
Vulnerability
Cross-Site Scripting (XSS) exists in QuickCMS through the insecure HTTP-based plugin-fetching mechanism. A malicious attacker can perform a Man-in-the-Middle (MITM) attack by impersonating the opensolution.org server and serving arbitrary HTML or JavaScript at the plugin list endpoint. All versions up to and including version 6.8 (before the patch of 15 May 2026) are affected [1].
Exploitation
An attacker must have a network position that allows them to intercept or redirect HTTP traffic between a QuickCMS instance and the plugin server at opensolution.org. By impersonating that server, the attacker injects malicious content that is automatically fetched and rendered when the victim accesses the plugin page. No authentication or user interaction beyond visiting the plugin page is required [1].
Impact
Successful exploitation results in arbitrary HTML or JavaScript execution in the context of the victim's browser session. This can lead to information disclosure, session hijacking, or other client-side attacks. The privilege level obtained is that of the victim user viewing the plugin page [1].
Mitigation
The vulnerability was fixed in a patch to version 6.8 published on 2026-05-15. Deployments running version 6.8 (or earlier) must apply the patch immediately. No workaround is described in the available references; upgrading to the patched version is the recommended action [1].
AI Insight generated on May 29, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1- Range: <6.8
Patches
0No patches discovered yet.
Vulnerability mechanics
No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.
References
2News mentions
0No linked articles in our index yet.