CVE-2026-33386

NONE

—CVSS v3

—CVSS v2

0.03% EPSS (exploit probability)

CWE-79CWE

Description

QuickCMS is vulnerable to Cross-Site Scripting (XSS) through its insecure HTTP-based plugin‑fetching mechanism. A malicious attacker can perform a Man‑in‑the‑Middle (MITM) attack by impersonating the opensolution.org server and serving arbitrary HTML or JavaScript at the plugin list endpoint. When a user accesses the plugin page, the malicious content is automatically fetched, rendered, and executed.

This issue was fixed in a patch to version 6.8 published on 15.05.2026, deployments without this patch are still vulnerable.

Affected routers (0)

No routers currently mapped to this CVE in our database.

External references

NIST NVD
MITRE CVE