Skip to main content

QuickCMS EUVDEUVD-2026-33338

| CVE-2026-33384 MEDIUM
Session Fixation (CWE-384)
2026-05-29 cvd@cert.pl GHSA-x6p9-8crm-x3hf
4.8
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
4.8 MEDIUM
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
P
Scope
X

Lifecycle Timeline

1
Analysis Generated
May 29, 2026 - 16:53 vuln.today

DescriptionCVE.org

QuickCMS allows a user's session identifier to be set before authentication. The value of this session ID stays the same after authentication. This behaviour enables an attacker to fix a session ID for a victim and later hijack the authenticated session.

This issue was fixed in a patch to version 6.8 published on 15.05.2026, deployments without this patch are still vulnerable.

AnalysisAI

Session fixation in QuickCMS (OpenSolution) allows an attacker to pre-set a victim's session identifier before the victim authenticates, and because the application fails to regenerate the session ID upon login, the attacker can subsequently hijack the fully authenticated session. All QuickCMS 6.8 deployments lacking the patch published on 2026-05-15 are vulnerable. No public exploit code has been identified and the vulnerability is not listed in CISA KEV, but the attack requires no attacker privileges and only passive user interaction, making targeted abuse realistic wherever attacker session pre-positioning is feasible.

Technical ContextAI

CWE-384 (Session Fixation) describes a failure to regenerate session identifiers upon privilege escalation - specifically, at the authentication boundary. QuickCMS, a CMS product by OpenSolution, accepts an externally suppliable session identifier prior to login and retains that same token after the user successfully authenticates. This violates the fundamental session lifecycle contract: a new, cryptographically fresh session ID should be issued at every privilege elevation event. No CPE strings were provided in source data; the affected product is OpenSolution QuickCMS 6.8 (unpatched builds prior to the 2026-05-15 fix). The CVSS 4.0 vector assigns AV:L (Local), which in CVSS 4.0 terminology means the vulnerable component is accessed in a local context, a designation that is atypical for classic session fixation and warrants verification against the CERT.pl advisory.

RemediationAI

Apply the patch released for QuickCMS 6.8 on 2026-05-15, available through OpenSolution at https://opensolution.org/home.html and documented in the CERT.pl advisory at https://cert.pl/posts/2026/05/CVE-2026-33384/. The fix corrects the session lifecycle so that a new session identifier is issued upon successful authentication, invalidating any pre-authentication token. The patch version confirmed is QuickCMS 6.8 with the 2026-05-15 update applied; an independently verified downstream release tag was not available in source data. If immediate patching is not feasible, administrators should enforce short session timeouts to minimize the window between session fixation and hijack, and audit any reverse proxy or WAF configuration for mechanisms that might accept or forward externally supplied session cookie values. Restricting access to the login endpoint to trusted network ranges reduces the population of potential attackers who can pre-position a session ID, though this trade-off impacts legitimate remote users.

CVE-2017-12965 CRITICAL POC
9.8 Aug 23

Session fixation vulnerability in Apache2Triad 1.5.4 allows remote attackers to hijack web sessions via the PHPSESSID pa

CVE-2025-28242 CRITICAL POC
9.8 Apr 18

Improper session management in the /login_ok.htm endpoint of DAEnetIP4 METO v1.25 allows attackers to execute a session

CVE-2022-40916 CRITICAL POC
9.8 Feb 06

Tiny File Manager v2.4.7 and below is vulnerable to session fixation. Rated critical severity (CVSS 9.8), this vulnerabi

CVE-2025-45949 CRITICAL POC
9.8 Apr 28

A critical vulnerability was found in PHPGurukul User Registration & Login and User Management System V3.3 in the /login

CVE-2023-48929 CRITICAL POC
9.8 Dec 08

Franklin Fueling Systems System Sentinel AnyWare (SSA) version 1.6.24.492 is vulnerable to Session Fixation. Rated criti

CVE-2023-41012 CRITICAL POC
9.8 Sep 05

An issue in China Mobile Communications China Mobile Intelligent Home Gateway v.HG6543C4 allows a remote attacker to exe

CVE-2023-31498 CRITICAL POC
9.8 May 11

A privilege escalation issue was found in PHP Gurukul Hospital Management System In v.4.0 allows a remote attacker to ex

CVE-2022-3269 CRITICAL POC
9.8 Sep 23

Session Fixation in GitHub repository ikus060/rdiffweb prior to 2.4.7. Rated critical severity (CVSS 9.8), this vulnerab

CVE-2021-39290 CRITICAL POC
9.8 Aug 23

Certain NetModule devices allow Limited Session Fixation via PHPSESSID. Rated critical severity (CVSS 9.8), this vulnera

CVE-2020-11729 CRITICAL POC
9.8 Apr 15

An issue was discovered in DAViCal Andrew's Web Libraries (AWL) through 0.60. Rated critical severity (CVSS 9.8), this v

CVE-2019-18418 CRITICAL POC
9.8 Oct 24

clonos.php in ClonOS WEB control panel 19.09 allows remote attackers to gain full access via change password requests be

CVE-2018-18925 CRITICAL POC
9.8 Nov 04

Gogs 0.11.66 allows remote code execution because it does not properly validate session IDs, as demonstrated by a ".." s

Share

EUVD-2026-33338 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy