VYPR
Vendor

Open Solution

Products
3
CVEs
49
Across products
51
Status
Private

Products

3

Recent CVEs

49
View all 49 CVEs →
  • CVE-2025-12465HigDec 2, 2025
    risk 0.56cvss epss 0.00

    A Blind SQL injection vulnerability has been identified in QuickCMS. Improper neutralization of input provided by a high-privileged user into aFilesDelete allows for Blind SQL Injection attacks. The vendor was notified early about this vulnerability, but didn't respond with the…

  • CVE-2026-11860HigJun 15, 2026
    risk 0.49cvss epss 0.00

    Quick.CMS deserializes user-controlled data received over plaintext HTTP without ensuring integrity or authenticity. This allows attackers to tamper with serialized payloads in transit and inject malicious objects. Because deserialization is performed without proper validation…

  • CVE-2021-47981MedMay 16, 2026
    risk 0.35cvss 5.4epss 0.00

    Quick.CMS 6.7 contains a cross-site scripting vulnerability in the sliders form that allows authenticated attackers to inject malicious scripts by submitting XSS payloads through the sDescription parameter. Attackers can craft CSRF forms targeting the admin.php?p=sliders-form…

  • CVE-2025-10317MedOct 30, 2025
    risk 0.33cvss epss 0.00

    Quick.Cart is vulnerable to Cross-Site Request Forgery in product creation functionality. Malicious attacker can craft special website, which when visited by the admin, will automatically send a POST request creating a malicious product with content defined by the attacker. This…

  • CVE-2026-33386LowMay 29, 2026
    risk 0.15cvss epss 0.00

    QuickCMS is vulnerable to Cross-Site Scripting (XSS) through its insecure HTTP-based plugin‑fetching mechanism. A malicious attacker can perform a Man‑in‑the‑Middle (MITM) attack by impersonating the opensolution.org server and serving arbitrary HTML or JavaScript at the…

  • CVE-2020-35754Jan 28, 2021
    risk 0.04cvss epss 0.10

    OpenSolution Quick.CMS < 6.7 and Quick.Cart < 6.7 allow an authenticated user to perform code injection (and consequently Remote Code Execution) via the input fields of the Language tab.

  • CVE-2012-6430Mar 24, 2014
    risk 0.03cvss epss 0.04

    Cross-site scripting (XSS) vulnerability in Open Solution Quick.Cms 5.0 and Quick.Cart 6.0, possibly as downloaded before December 19, 2012, allows remote attackers to inject arbitrary web script or HTML via the PATH_INFO to admin.php. NOTE: this might be a duplicate of…

  • CVE-2009-4120Dec 1, 2009
    risk 0.03cvss epss 0.01

    Multiple cross-site request forgery (CSRF) vulnerabilities in Quick.Cart 3.4 allow remote attackers to hijack the authentication of the administrator for requests that (1) delete orders via an orders-delete action to admin.php, and possibly (2) delete products or (3) delete…

  • CVE-2009-1410Apr 24, 2009
    risk 0.03cvss epss 0.01

    SQL injection vulnerability in index.php in Quick.Cms.Lite 0.5 allows remote attackers to execute arbitrary SQL commands via the id parameter.

  • CVE-2008-4140Sep 24, 2008
    risk 0.03cvss epss 0.01

    Cross-site scripting (XSS) vulnerability in admin.php in Quick.Cart 3.1 allows remote attackers to inject arbitrary web script or HTML via the query string.

  • CVE-2008-4139Sep 24, 2008
    risk 0.03cvss epss 0.02

    Cross-site scripting (XSS) vulnerability in admin.php in OpenSolution Quick.Cms.Lite 2.1 allows remote attackers to inject arbitrary web script or HTML via the query string.

  • CVE-2007-3138Jun 8, 2007
    risk 0.03cvss epss 0.03

    Directory traversal vulnerability in index.php in Open Solution Quick.Cart 2.2 and earlier allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in an sLanguage cookie, which is used to define a value in config/general.php.

  • CVE-2007-3139Jun 8, 2007
    risk 0.03cvss epss 0.04

    config/general.php in Quick.Cart 2.2 and earlier uses a default username and password, which allows remote attackers to access the application via a login action to admin.php. NOTE: this can be leveraged to upload and execute arbitrary code.

  • CVE-2006-6391Dec 8, 2006
    risk 0.03cvss epss 0.02

    Multiple directory traversal vulnerabilities in Open Solution Quick.Cart 2.0, when register_globals is enabled and magic_quotes_gpc is disabled, allow remote attackers to include arbitrary files via a .. (dot dot) in the config[db_type] parameter to (1) actions_admin/other.php…

  • CVE-2006-6390Dec 8, 2006
    risk 0.03cvss epss 0.02

    Multiple directory traversal vulnerabilities in Open Solution Quick.Cart 2.0, when register_globals is enabled and magic_quotes_gpc is disabled, allow remote attackers to include and execute arbitrary local files via a .. (dot dot) in the config[db_type] parameter to (1)…

  • CVE-2006-5834Nov 10, 2006
    risk 0.03cvss epss 0.02

    Directory traversal vulnerability in general.php in OpenSolution Quick.Cms.Lite 0.3 allows remote attackers to include arbitrary files via a .. (dot dot) sequence in the sLanguage Cookie parameter.

  • CVE-2005-1587May 14, 2005
    risk 0.03cvss epss 0.02

    Cross-site scripting (XSS) vulnerability in index.php for Quick.cart 0.3.0 allows remote attackers to inject arbitrary web script or HTML via the sWord parameter.

  • CVE-2026-23796Feb 5, 2026
    risk 0.00cvss epss 0.00

    Quick.Cart allows a user's session identifier to be set before authentication. The value of this session ID stays the same after authentication. This behaviour enables an attacker to fix a session ID for a victim and later hijack the authenticated session. The vendor was…

  • CVE-2026-23797Feb 5, 2026
    risk 0.00cvss epss 0.00

    In Quick.Cart user passwords are stored in plaintext form. An attacker with high privileges can display users' password in user editing page. The vendor was notified early about this vulnerability, but didn't respond with the details of vulnerability or vulnerable version…

  • CVE-2025-67684Jan 22, 2026
    risk 0.00cvss epss 0.01

    Quick.Cart is vulnerable to Local File Inclusion and Path Traversal issues in the theme selection mechanism. Quick.Cart allows a privileged user to upload arbitrary file contents while only validating the filename extension. This allows an attacker to include and execute…