CVE-2026-33384: CWE-384 Session Fixation in OpenSolution QuickCMS
OpenSolution QuickCMS versions prior to 6. 8 are affected by a session fixation vulnerability (CVE-2026-33384) where the session identifier can be set before authentication and remains unchanged after login. This allows an attacker to fix a session ID for a victim and potentially hijack the authenticated session. A patch addressing this issue was released in version 6. 8 on May 15, 2026. Systems not updated to this version remain vulnerable. The vulnerability has a CVSS 4. 8 score, indicating medium severity.
AI Analysis
Technical Summary
CVE-2026-33384 is a session fixation vulnerability in OpenSolution QuickCMS where the session ID is assigned before user authentication and is not regenerated after login. This behavior enables attackers to set a known session ID for a victim, which can be used to hijack the victim's authenticated session. The issue was fixed in QuickCMS version 6.8, released on May 15, 2026. No known exploits are reported in the wild, and the vulnerability has a medium severity rating with a CVSS 4.8 score.
Potential Impact
An attacker who can set or predict a session ID before authentication may hijack the victim's authenticated session, potentially gaining unauthorized access to the victim's account or data within QuickCMS. The impact is limited to session hijacking and depends on the attacker's ability to fix the session ID prior to victim login.
Mitigation Recommendations
Apply the official patch by upgrading QuickCMS to version 6.8 or later, which fixes the session fixation vulnerability. Deployments that have not applied this patch remain vulnerable. No other mitigation or temporary fix is indicated in the available data.
CVE-2026-33384: CWE-384 Session Fixation in OpenSolution QuickCMS
Description
OpenSolution QuickCMS versions prior to 6. 8 are affected by a session fixation vulnerability (CVE-2026-33384) where the session identifier can be set before authentication and remains unchanged after login. This allows an attacker to fix a session ID for a victim and potentially hijack the authenticated session. A patch addressing this issue was released in version 6. 8 on May 15, 2026. Systems not updated to this version remain vulnerable. The vulnerability has a CVSS 4. 8 score, indicating medium severity.
CVSS v4.0
Score 4.8medium
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-33384 is a session fixation vulnerability in OpenSolution QuickCMS where the session ID is assigned before user authentication and is not regenerated after login. This behavior enables attackers to set a known session ID for a victim, which can be used to hijack the victim's authenticated session. The issue was fixed in QuickCMS version 6.8, released on May 15, 2026. No known exploits are reported in the wild, and the vulnerability has a medium severity rating with a CVSS 4.8 score.
Potential Impact
An attacker who can set or predict a session ID before authentication may hijack the victim's authenticated session, potentially gaining unauthorized access to the victim's account or data within QuickCMS. The impact is limited to session hijacking and depends on the attacker's ability to fix the session ID prior to victim login.
Mitigation Recommendations
Apply the official patch by upgrading QuickCMS to version 6.8 or later, which fixes the session fixation vulnerability. Deployments that have not applied this patch remain vulnerable. No other mitigation or temporary fix is indicated in the available data.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- CERT-PL
- Date Reserved
- 2026-03-19T10:45:47.735Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a19bc63e29bf47b50f702dc
Added to database: 5/29/2026, 4:18:43 PM
Last enriched: 5/29/2026, 4:34:42 PM
Last updated: 5/29/2026, 5:28:27 PM
Views: 3
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.