CVE-2026-33384— Session Fixation in QuickCMS
Possible ATT&CK Techniques 1AI
T1110 · Brute ForceAffected Version Matrix 1
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| OpenSolution | QuickCMS | ≤ 6.8 | affected |
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-33384
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Session Fixation in QuickCMS
Source: NVD (National Vulnerability Database)
Vulnerability Description
QuickCMS allows a user's session identifier to be set before authentication. The value of this session ID stays the same after authentication. This behaviour enables an attacker to fix a session ID for a victim and later hijack the authenticated session. This issue was fixed in a patch to version 6.8 published on 15.05.2026, deployments without this patch are still vulnerable.
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
会话固定
Source: NVD (National Vulnerability Database)
Vulnerability Title
QuickCMS 授权问题漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
QuickCMS是QuickCMS开源的一款内容管理系统。 QuickCMS存在授权问题漏洞,该漏洞源于允许在身份验证之前设置用户会话标识符,且该会话ID值在身份验证后保持不变,使攻击者能够固定受害者的会话ID并在之后劫持已验证的会话。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| OpenSolution | QuickCMS | 0 ~ 6.8 | - |
II. Public POCs for CVE-2026-33384
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-33384
请登录查看更多情报信息。
Security Blog Posts for CVE-2026-33384 (1)
- 🔗 Podatności w oprogramowaniu QuickCMS | CERT Polskathird-party-advisory
Other References for CVE-2026-33384 (1)
IV. Related Vulnerabilities
Same weakness: CWE-384
- CVE-2026-48545
Gradio < 6.15.0 Cookie Injection via Shared Proxy Client - CVE-2026-43827
Apache Shiro: Session fixation: new session is not created a - CVE-2026-41613
Visual Studio Code Elevation of Privilege Vulnerability - CVE-2026-30808
Session Fixation in Authentication leads to Session Hijackin - CVE-2025-46605
Dell PowerProtect Data Domain(Dell PowerProtect DD) 安全漏洞
V. Comments for CVE-2026-33384
No comments yet