Quick.CMS
CVEs (30)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2025-12465 | Hig | 0.56 | — | 0.00 | Dec 2, 2025 | A Blind SQL injection vulnerability has been identified in QuickCMS. Improper neutralization of input provided by a high-privileged user into aFilesDelete allows for Blind SQL Injection attacks. The vendor was notified early about this vulnerability, but didn't respond with the… | ||
| CVE-2026-11860 | Hig | 0.49 | — | 0.00 | Jun 15, 2026 | Quick.CMS deserializes user-controlled data received over plaintext HTTP without ensuring integrity or authenticity. This allows attackers to tamper with serialized payloads in transit and inject malicious objects. Because deserialization is performed without proper validation… | ||
| CVE-2021-47981 | Med | 0.35 | 5.4 | 0.00 | May 16, 2026 | Quick.CMS 6.7 contains a cross-site scripting vulnerability in the sliders form that allows authenticated attackers to inject malicious scripts by submitting XSS payloads through the sDescription parameter. Attackers can craft CSRF forms targeting the admin.php?p=sliders-form… | ||
| CVE-2026-33386 | Low | 0.15 | — | 0.00 | May 29, 2026 | QuickCMS is vulnerable to Cross-Site Scripting (XSS) through its insecure HTTP-based plugin‑fetching mechanism. A malicious attacker can perform a Man‑in‑the‑Middle (MITM) attack by impersonating the opensolution.org server and serving arbitrary HTML or JavaScript at the… | ||
| CVE-2020-35754 | 0.04 | — | 0.10 | Jan 28, 2021 | OpenSolution Quick.CMS < 6.7 and Quick.Cart < 6.7 allow an authenticated user to perform code injection (and consequently Remote Code Execution) via the input fields of the Language tab. | |||
| CVE-2012-6430 | 0.03 | — | 0.04 | Mar 24, 2014 | Cross-site scripting (XSS) vulnerability in Open Solution Quick.Cms 5.0 and Quick.Cart 6.0, possibly as downloaded before December 19, 2012, allows remote attackers to inject arbitrary web script or HTML via the PATH_INFO to admin.php. NOTE: this might be a duplicate of… | |||
| CVE-2009-1410 | 0.03 | — | 0.01 | Apr 24, 2009 | SQL injection vulnerability in index.php in Quick.Cms.Lite 0.5 allows remote attackers to execute arbitrary SQL commands via the id parameter. | |||
| CVE-2008-4139 | 0.03 | — | 0.02 | Sep 24, 2008 | Cross-site scripting (XSS) vulnerability in admin.php in OpenSolution Quick.Cms.Lite 2.1 allows remote attackers to inject arbitrary web script or HTML via the query string. | |||
| CVE-2006-5834 | 0.03 | — | 0.02 | Nov 10, 2006 | Directory traversal vulnerability in general.php in OpenSolution Quick.Cms.Lite 0.3 allows remote attackers to include arbitrary files via a .. (dot dot) sequence in the sLanguage Cookie parameter. | |||
| CVE-2024-58308 | 0.00 | — | 0.01 | Dec 11, 2025 | Quick.CMS 6.7 contains a SQL injection vulnerability that allows unauthenticated attackers to bypass login authentication by manipulating the login form. Attackers can inject specific SQL payloads like ' or '1'='1 to gain unauthorized administrative access to the system. | |||
| CVE-2025-10018 | 0.00 | — | 0.00 | Nov 14, 2025 | QuickCMS is vulnerable to multiple Stored XSS in language editor functionality (languages). Malicious attacker with admin privileges can inject arbitrary HTML and JS into website, which will be rendered/executed on every page. By default admin user is not able to add JavaScript… | |||
| CVE-2025-9982 | 0.00 | — | 0.00 | Nov 14, 2025 | A vulnerability exists in QuickCMS version 6.8 where sensitive admin credentials are hardcoded in a configuration file and stored in plaintext. This flaw allows attackers with access to the source code or the server file system to retrieve authentication details, potentially… | |||
| CVE-2025-9981 | 0.00 | — | 0.00 | Oct 23, 2025 | QuickCMS is vulnerable to multiple Stored XSS in slider editor functionality (sliders-form). Malicious attacker with admin privileges can inject arbitrary HTML and JS into website, which will be rendered/executed on every page. By default admin user is not able to add JavaScript… | |||
| CVE-2025-9980 | 0.00 | — | 0.00 | Oct 23, 2025 | QuickCMS is vulnerable to multiple Stored XSS in page editor functionality (pages-form). Malicious attacker with admin privileges can inject arbitrary HTML and JS into website, which will be rendered/executed when visiting edited page. By default admin user is not able to add… | |||
| CVE-2025-55175 | 0.00 | — | 0.00 | Aug 28, 2025 | QuickCMS is vulnerable to Reflected XSS via sLangEdit parameter in admin's panel functionality. A malicious attacker can craft a specially crafted URL that, when opened, results in arbitrary JavaScript execution in the victim's browser. The vendor was notified early about this… | |||
| CVE-2025-54544 | 0.00 | — | 0.00 | Aug 28, 2025 | QuickCMS is vulnerable to Stored XSS via aDirFilesDescriptions parameter in files editor functionality. Malicious attacker with admin privileges can inject arbitrary HTML and JS into website, which will be rendered/executed when visiting edited page. By default admin user is… | |||
| CVE-2025-54543 | 0.00 | — | 0.00 | Aug 28, 2025 | QuickCMS is vulnerable to Stored XSS via sDescriptionMeta parameter in page editor SEO functionality. Malicious attacker with admin privileges can inject arbitrary HTML and JS into website, which will be rendered/executed when visiting edited page. By default admin user is not… | |||
| CVE-2025-54542 | 0.00 | — | 0.00 | Aug 28, 2025 | QuickCMS sends password and login via GET Request. This allows a local attacker with access to the victim's browser history to obtain the necessary credentials to log in as the user. The vendor was notified early about this vulnerability, but didn't respond with the details of… | |||
| CVE-2025-54541 | 0.00 | — | 0.00 | Aug 28, 2025 | QuickCMS is vulnerable to Cross-Site Request Forgery in page deletion functionality. Malicious attacker can craft special website, which when visited by the admin, will automatically send a POST request deleting an article. The vendor was notified early about this… | |||
| CVE-2025-54540 | 0.00 | — | 0.00 | Aug 28, 2025 | QuickCMS is vulnerable to Reflected XSS via sSort parameter in admin's panel functionality. A malicious attacker can craft a specially crafted URL that, when opened, results in arbitrary JavaScript execution in the victim's browser. The vendor was notified early about this… |
- risk 0.56cvss —epss 0.00
A Blind SQL injection vulnerability has been identified in QuickCMS. Improper neutralization of input provided by a high-privileged user into aFilesDelete allows for Blind SQL Injection attacks. The vendor was notified early about this vulnerability, but didn't respond with the…
- risk 0.49cvss —epss 0.00
Quick.CMS deserializes user-controlled data received over plaintext HTTP without ensuring integrity or authenticity. This allows attackers to tamper with serialized payloads in transit and inject malicious objects. Because deserialization is performed without proper validation…
- risk 0.35cvss 5.4epss 0.00
Quick.CMS 6.7 contains a cross-site scripting vulnerability in the sliders form that allows authenticated attackers to inject malicious scripts by submitting XSS payloads through the sDescription parameter. Attackers can craft CSRF forms targeting the admin.php?p=sliders-form…
- risk 0.15cvss —epss 0.00
QuickCMS is vulnerable to Cross-Site Scripting (XSS) through its insecure HTTP-based plugin‑fetching mechanism. A malicious attacker can perform a Man‑in‑the‑Middle (MITM) attack by impersonating the opensolution.org server and serving arbitrary HTML or JavaScript at the…
- CVE-2020-35754Jan 28, 2021risk 0.04cvss —epss 0.10
OpenSolution Quick.CMS < 6.7 and Quick.Cart < 6.7 allow an authenticated user to perform code injection (and consequently Remote Code Execution) via the input fields of the Language tab.
- CVE-2012-6430Mar 24, 2014risk 0.03cvss —epss 0.04
Cross-site scripting (XSS) vulnerability in Open Solution Quick.Cms 5.0 and Quick.Cart 6.0, possibly as downloaded before December 19, 2012, allows remote attackers to inject arbitrary web script or HTML via the PATH_INFO to admin.php. NOTE: this might be a duplicate of…
- CVE-2009-1410Apr 24, 2009risk 0.03cvss —epss 0.01
SQL injection vulnerability in index.php in Quick.Cms.Lite 0.5 allows remote attackers to execute arbitrary SQL commands via the id parameter.
- CVE-2008-4139Sep 24, 2008risk 0.03cvss —epss 0.02
Cross-site scripting (XSS) vulnerability in admin.php in OpenSolution Quick.Cms.Lite 2.1 allows remote attackers to inject arbitrary web script or HTML via the query string.
- CVE-2006-5834Nov 10, 2006risk 0.03cvss —epss 0.02
Directory traversal vulnerability in general.php in OpenSolution Quick.Cms.Lite 0.3 allows remote attackers to include arbitrary files via a .. (dot dot) sequence in the sLanguage Cookie parameter.
- CVE-2024-58308Dec 11, 2025risk 0.00cvss —epss 0.01
Quick.CMS 6.7 contains a SQL injection vulnerability that allows unauthenticated attackers to bypass login authentication by manipulating the login form. Attackers can inject specific SQL payloads like ' or '1'='1 to gain unauthorized administrative access to the system.
- CVE-2025-10018Nov 14, 2025risk 0.00cvss —epss 0.00
QuickCMS is vulnerable to multiple Stored XSS in language editor functionality (languages). Malicious attacker with admin privileges can inject arbitrary HTML and JS into website, which will be rendered/executed on every page. By default admin user is not able to add JavaScript…
- CVE-2025-9982Nov 14, 2025risk 0.00cvss —epss 0.00
A vulnerability exists in QuickCMS version 6.8 where sensitive admin credentials are hardcoded in a configuration file and stored in plaintext. This flaw allows attackers with access to the source code or the server file system to retrieve authentication details, potentially…
- CVE-2025-9981Oct 23, 2025risk 0.00cvss —epss 0.00
QuickCMS is vulnerable to multiple Stored XSS in slider editor functionality (sliders-form). Malicious attacker with admin privileges can inject arbitrary HTML and JS into website, which will be rendered/executed on every page. By default admin user is not able to add JavaScript…
- CVE-2025-9980Oct 23, 2025risk 0.00cvss —epss 0.00
QuickCMS is vulnerable to multiple Stored XSS in page editor functionality (pages-form). Malicious attacker with admin privileges can inject arbitrary HTML and JS into website, which will be rendered/executed when visiting edited page. By default admin user is not able to add…
- CVE-2025-55175Aug 28, 2025risk 0.00cvss —epss 0.00
QuickCMS is vulnerable to Reflected XSS via sLangEdit parameter in admin's panel functionality. A malicious attacker can craft a specially crafted URL that, when opened, results in arbitrary JavaScript execution in the victim's browser. The vendor was notified early about this…
- CVE-2025-54544Aug 28, 2025risk 0.00cvss —epss 0.00
QuickCMS is vulnerable to Stored XSS via aDirFilesDescriptions parameter in files editor functionality. Malicious attacker with admin privileges can inject arbitrary HTML and JS into website, which will be rendered/executed when visiting edited page. By default admin user is…
- CVE-2025-54543Aug 28, 2025risk 0.00cvss —epss 0.00
QuickCMS is vulnerable to Stored XSS via sDescriptionMeta parameter in page editor SEO functionality. Malicious attacker with admin privileges can inject arbitrary HTML and JS into website, which will be rendered/executed when visiting edited page. By default admin user is not…
- CVE-2025-54542Aug 28, 2025risk 0.00cvss —epss 0.00
QuickCMS sends password and login via GET Request. This allows a local attacker with access to the victim's browser history to obtain the necessary credentials to log in as the user. The vendor was notified early about this vulnerability, but didn't respond with the details of…
- CVE-2025-54541Aug 28, 2025risk 0.00cvss —epss 0.00
QuickCMS is vulnerable to Cross-Site Request Forgery in page deletion functionality. Malicious attacker can craft special website, which when visited by the admin, will automatically send a POST request deleting an article. The vendor was notified early about this…
- CVE-2025-54540Aug 28, 2025risk 0.00cvss —epss 0.00
QuickCMS is vulnerable to Reflected XSS via sSort parameter in admin's panel functionality. A malicious attacker can craft a specially crafted URL that, when opened, results in arbitrary JavaScript execution in the victim's browser. The vendor was notified early about this…
Page 1 of 2