QSearchQSearch

CVE-2026-33384

QuickCMS allows a user's session identifier to be set before authentication

Published: 2026-05-29 · Last updated: 2026-05-29

Severity and scoring

CWE
CWE-384

Description

QuickCMS allows a user's session identifier to be set before authentication. The value of this session ID stays the same after authentication. This behaviour enables an attacker to fix a session ID for a victim and later hijack the authenticated session. This issue was fixed in a patch to version 6.8 published on 15.05.2026, deployments without this patch are still vulnerable.

Source: NVD

References

Related CVEs

Same CWE

  • CVE-2009-10007 Catalyst::Plugin::Authentication versions before 0.10_027 for Perl is susceptible to session fixation attacks (9.1 CRITICAL)
  • CVE-2026-41839 A WebFlux application with a compromised subdomain (for example, compromised via cross-site scripting (XSS)) is vulnerable to an escalati... (4.2 MEDIUM)
  • CVE-2026-11335 A flaw has been found in tittuvarghese CollegeManagementSystem 3e476335cfbfb9a049e09f474c7ec885f69a9df3/a38852979f7e27ae67b610dce5979500e... (6.3 MEDIUM)
  • CVE-2025-67446 Improper Authentication (Authentication Bypass) exists in Neterbit NW-431F Router 20241014-IR03 and before (9.8 CRITICAL)
  • CVE-2026-48545 Gradio before version 6.15.0 contains a cookie injection vulnerability that allows remote attackers to perform cross-Space session fixati... (6.8 MEDIUM)