PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-33386 OpenSolution CVE debrief

QuickCMS versions prior to 6.8 (patched 2026-05-15) fetch plugin lists over unencrypted HTTP, enabling network‑positioned attackers to inject malicious HTML/JavaScript via a man‑in‑the‑middle attack against the opensolution.org endpoint. When an administrative user visits the plugin page, the attacker‑supplied payload is retrieved, rendered, and executed in the user's browser context. The CVSS 4.0 vector (AV:A/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N) reflects adjacent network access, low attack complexity, and partial impacts to system confidentiality and integrity without affecting availability or the vulnerable component itself. The vulnerability is classified as CWE‑79 (Cross‑site Scripting).

Vendor
OpenSolution
Product
QuickCMS
CVSS
LOW 2.3
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-29
Original CVE updated
2026-05-29
Advisory published
2026-05-29
Advisory updated
2026-05-29

Who should care

Organizations running QuickCMS prior to 6.8 for website content management, particularly those with administrative interfaces exposed to untrusted or shared network segments.

Technical summary

The QuickCMS administrative interface retrieves available plugins from opensolution.org over cleartext HTTP. A threat actor with adjacent network access can intercept this request and return a crafted response containing executable scripts. Because the application renders the fetched content directly, the injected script executes with the privileges of the authenticated administrator. The attack does not require user interaction beyond normal plugin browsing and does not affect the CMS core availability, but can lead to session hijacking or administrative action forgery. The vendor addressed this by enforcing HTTPS and implementing response validation in version 6.8, released 2026‑05‑15.

Defensive priority

routine

Recommended defensive actions

  • Upgrade QuickCMS to version 6.8 or later, which transmits plugin metadata over HTTPS and validates content integrity.
  • If immediate patching is not feasible, block outbound HTTP traffic to opensolution.org at the network perimeter and verify plugin sources manually before installation.
  • Review administrative access controls to limit exposure of the plugin management interface to trusted networks only.
  • Monitor proxy and DNS logs for anomalous resolution or requests to opensolution.org from QuickCMS hosts.

Evidence notes

Official CVE record and NVD entry published 2026‑05‑29; CERT‑PL advisory and vendor domain referenced in source metadata. Patch released 2026‑05‑15 per CVE description.

Official resources

2026-05-29