What is GHSA-x6p9-8crm-x3hf?

GHSA-x6p9-8crm-x3hf is a security advisory published by GitHub Security Advisories with Medium severity. QuickCMS allows a user's session identifier to be set before authentication. The value of this...

Which CVE IDs does GHSA-x6p9-8crm-x3hf cover?

GHSA-x6p9-8crm-x3hf covers the following CVE IDs: CVE-2026-33384. Each CVE has its own detail page on EchelonGraph Pulse with the synthesized EG score.

GHSA-x6p9-8crm-x3hfMedium

QuickCMS allows a user's session identifier to be set before authentication. The value of this...

Vendor

GitHub Security Advisories

Published

May 29, 2026

Last Modified

May 29, 2026

🔗 CVE IDs covered (1)

CVE-2026-33384 →

📋 Description

QuickCMS allows a user's session identifier to be set before authentication. The value of this session ID stays the same after authentication. This behaviour enables an attacker to fix a session ID for a victim and later hijack the authenticated session.

This issue was fixed in a patch to version 6.8 published on 15.05.2026, deployments without this patch are still vulnerable.

🔗 References (4)

https://nvd.nist.gov/vuln/detail/CVE-2026-33384
https://cert.pl/posts/2026/05/CVE-2026-33384
https://opensolution.org/home.html
https://github.com/advisories/GHSA-x6p9-8crm-x3hf