What is GHSA-wq6v-xp72-v7h5?

GHSA-wq6v-xp72-v7h5 is a security advisory published by GitHub Security Advisories with Low severity. QuickCMS is vulnerable to Cross-Site Scripting (XSS) through its insecure HTTP-based plugin...

Which CVE IDs does GHSA-wq6v-xp72-v7h5 cover?

GHSA-wq6v-xp72-v7h5 covers the following CVE IDs: CVE-2026-33386. Each CVE has its own detail page on EchelonGraph Pulse with the synthesized EG score.

GHSA-wq6v-xp72-v7h5Low

QuickCMS is vulnerable to Cross-Site Scripting (XSS) through its insecure HTTP-based plugin...

Vendor

GitHub Security Advisories

Published

May 29, 2026

Last Modified

May 29, 2026

🔗 CVE IDs covered (1)

CVE-2026-33386 →

📋 Description

QuickCMS is vulnerable to Cross-Site Scripting (XSS) through its insecure HTTP-based plugin‑fetching mechanism. A malicious attacker can perform a Man‑in‑the‑Middle (MITM) attack by impersonating the opensolution.org server and serving arbitrary HTML or JavaScript at the plugin list endpoint. When a user accesses the plugin page, the malicious content is automatically fetched, rendered, and executed.

This issue was fixed in a patch to version 6.8 published on 15.05.2026, deployments without this patch are still vulnerable.

🔗 References (4)

https://nvd.nist.gov/vuln/detail/CVE-2026-33386
https://cert.pl/posts/2026/05/CVE-2026-33384
https://opensolution.org/home.html
https://github.com/advisories/GHSA-wq6v-xp72-v7h5