PatchSiren

OpenSolution CVE debriefs

These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.

HIGH OpenSolution CVE published 2026-06-15

CVE-2026-11860

CVE-2026-11860 is a high-severity vulnerability in Quick.CMS that allows attackers to execute arbitrary code via deserialization of user-controlled data. The vulnerability has a CVSS score of 7.5 and was published on June 15, 2026. The issue arises from Quick.CMS deserializing user-controlled data received over plaintext HTTP without ensuring integrity or authenticity, allowing attackers to tamper with se [truncated]

LOW OpenSolution CVE published 2026-05-29

CVE-2026-33386

QuickCMS versions prior to 6.8 (patched 2026-05-15) fetch plugin lists over unencrypted HTTP, enabling network‑positioned attackers to inject malicious HTML/JavaScript via a man‑in‑the‑middle attack against the opensolution.org endpoint. When an administrative user visits the plugin page, the attacker‑supplied payload is retrieved, rendered, and executed in the user's browser context. The CVSS 4.0 vector [truncated]

MEDIUM OpenSolution CVE published 2026-05-29

CVE-2026-33384

Session fixation vulnerability in QuickCMS allows pre-authentication session ID assignment that persists after login, enabling session hijacking attacks.

MEDIUM Opensolution CVE published 2026-05-16

CVE-2021-47981

CVE-2021-47981 is a reported cross-site scripting issue in Quick.CMS 6.7 affecting the sliders form. The vulnerability is described as allowing an authenticated attacker to submit a malicious sDescription value that is later rendered as JavaScript in a victim browser, including through CSRF-style submission to the admin.php?p=sliders-form endpoint. The NVD record currently lists the issue as Medium severi [truncated]