Severity by source
CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
QuickCMS is vulnerable to Cross-Site Scripting (XSS) through its insecure HTTP-based plugin‑fetching mechanism. A malicious attacker can perform a Man‑in‑the‑Middle (MITM) attack by impersonating the opensolution.org server and serving arbitrary HTML or JavaScript at the plugin list endpoint. When a user accesses the plugin page, the malicious content is automatically fetched, rendered, and executed.
This issue was fixed in a patch to version 6.8 published on 15.05.2026, deployments without this patch are still vulnerable.
AnalysisAI
Cross-site scripting in QuickCMS allows a network-adjacent unauthenticated attacker to inject and execute arbitrary JavaScript in a victim user's browser by intercepting the CMS's unencrypted HTTP request to the opensolution.org plugin list endpoint. Any QuickCMS deployment running an unpatched version of 6.8 that fetches plugin listings over plain HTTP is affected. No public exploit code or CISA KEV listing exists at time of analysis, and the low CVSS 4.0 score of 2.3 reflects the adjacent-network and MITM prerequisites that significantly constrain realistic attacker reach.
Technical ContextAI
QuickCMS (vendor: opensolution.org) retrieves its plugin catalog by making an unauthenticated HTTP (not HTTPS) request to a remote endpoint. Because the transport is unencrypted, any attacker capable of performing a Man-in-the-Middle interception on the network path between the CMS host and opensolution.org can substitute the legitimate plugin-list response with attacker-controlled HTML or JavaScript. The CMS then renders this response directly in the browser of the administrative user visiting the plugin page without sanitization, satisfying the definition of CWE-79 (Improper Neutralization of Input During Web Page Generation - Cross-site Scripting). The root cause is the combination of using HTTP instead of HTTPS for fetching remote content and the lack of output encoding or content-type validation on the fetched response. The CVSS 4.0 Attack Requirements metric AT:P confirms that a specific prerequisite - the ability to intercept the HTTP channel - must be present, which is consistent with ARP spoofing, rogue Wi-Fi, or DNS hijacking on an adjacent network segment (AV:A).
RemediationAI
Apply the patch to QuickCMS 6.8 published by opensolution.org on 15 May 2026; vendor advisory is at https://opensolution.org/home.html. As a compensating control for deployments that cannot patch immediately, restrict network access so that the web server or admin workstation fetching plugin listings cannot be intercepted - for example, route CMS outbound traffic through a trusted VPN or ensure administrators only access the plugin page from a fully trusted, isolated network segment. Additionally, enforcing HTTPS for all outbound requests at the network or host firewall level (e.g., blocking port 80 egress from the CMS host) would neutralize the MITM vector by preventing unencrypted HTTP fetches to opensolution.org. Note that blocking port 80 egress may break other HTTP-based CMS functionality and should be tested before deployment. No workarounds eliminate the underlying CWE-79 root cause without the vendor patch.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-33339
GHSA-wq6v-xp72-v7h5