This page lists publicly disclosed CVE vulnerabilities affecting opensolution quick.cms (linked via NVD CPE). Each row includes severity scores, summaries, and publication dates to help identify and analyze security issues.
| CVE | Summary | Source | Max CVSS | EPSS % | Published | Updated |
|---|---|---|---|---|---|---|
| CVE-2025-9982 | A vulnerability exists in QuickCMS version 6.8 where sensitive admin credentials are hardcoded in a configuration file and stored in plaintext. This flaw allows attackers with access to the source code or the server file system to retrieve authentication details, potentially leading to privilege escalation. The vendor was notified early about this vulnerability, but didn't respond with the details of vulnerability or vulnerable version range. Only version 6.8 was tested and confirmed as vulnera | [email protected] | 6.9 | 0.04% | 2025-11-14 | 2025-11-17 |
| CVE-2025-10018 | QuickCMS is vulnerable to multiple Stored XSS in language editor functionality (languages). Malicious attacker with admin privileges can inject arbitrary HTML and JS into website, which will be rendered/executed on every page. By default admin user is not able to add JavaScript into the website. The vendor was notified early about this vulnerability, but didn't respond with the details of vulnerability or vulnerable version range. Only version 6.8 was tested and confirmed as vulnerable, other v | [email protected] | 4.8 | 0.04% | 2025-11-14 | 2025-11-17 |
| CVE-2025-9981 | QuickCMS is vulnerable to multiple Stored XSS in slider editor functionality (sliders-form). Malicious attacker with admin privileges can inject arbitrary HTML and JS into website, which will be rendered/executed on every page. By default admin user is not able to add JavaScript into the website. The vendor was notified early about this vulnerability, but didn't respond with the details of vulnerability or vulnerable version range. Only version 6.8 was tested and confirmed as vulnerable, other | [email protected] | 4.8 | 0.03% | 2025-10-23 | 2025-11-17 |
| CVE-2025-9980 | QuickCMS is vulnerable to multiple Stored XSS in page editor functionality (pages-form). Malicious attacker with admin privileges can inject arbitrary HTML and JS into website, which will be rendered/executed when visiting edited page. By default admin user is not able to add JavaScript into the website. The vendor was notified early about this vulnerability, but didn't respond with the details of vulnerability or vulnerable version range. Only version 6.8 was tested and confirmed as vulnerable | [email protected] | 4.8 | 0.03% | 2025-10-23 | 2025-11-17 |
| CVE-2025-55175 | QuickCMS is vulnerable to Reflected XSS via sLangEdit parameter in admin's panel functionality. A malicious attacker can craft a specially crafted URL that, when opened, results in arbitrary JavaScript execution in the victim's browser. The vendor was notified early about this vulnerability, but didn't respond with the details of vulnerability or vulnerable version range. Only version 6.8 was tested and confirmed as vulnerable, other versions were not tested and might also be vulnerable. | [email protected] | 5.1 | 0.07% | 2025-08-28 | 2025-09-08 |
| CVE-2025-54544 | QuickCMS is vulnerable to Stored XSS via aDirFilesDescriptions parameter in files editor functionality. Malicious attacker with admin privileges can inject arbitrary HTML and JS into website, which will be rendered/executed when visiting edited page. By default admin user is not able to add JavaScript into the website. The vendor was notified early about this vulnerability, but didn't respond with the details of vulnerability or vulnerable version range. Only version 6.8 was tested and confirme | [email protected] | 5.3 | 0.03% | 2025-08-28 | 2025-09-08 |
| CVE-2025-54543 | QuickCMS is vulnerable to Stored XSS via sDescriptionMeta parameter in page editor SEO functionality. Malicious attacker with admin privileges can inject arbitrary HTML and JS into website, which will be rendered/executed when visiting edited page. By default admin user is not able to add JavaScript into the website. The vendor was notified early about this vulnerability, but didn't respond with the details of vulnerability or vulnerable version range. Only version 6.8 was tested and confirmed | [email protected] | 5.3 | 0.03% | 2025-08-28 | 2025-09-08 |
| CVE-2025-54542 | QuickCMS sends password and login via GET Request. This allows a local attacker with access to the victim's browser history to obtain the necessary credentials to log in as the user. The vendor was notified early about this vulnerability, but didn't respond with the details of vulnerability or vulnerable version range. Only version 6.8 was tested and confirmed as vulnerable, other versions were not tested and might also be vulnerable. | [email protected] | 6.9 | 0.01% | 2025-08-28 | 2025-09-08 |
| CVE-2025-54541 | QuickCMS is vulnerable to Cross-Site Request Forgery in page deletion functionality. Malicious attacker can craft special website, which when visited by the admin, will automatically send a POST request deleting an article. The vendor was notified early about this vulnerability, but didn't respond with the details of vulnerability or vulnerable version range. Only version 6.8 was tested and confirmed as vulnerable, other versions were not tested and might also be vulnerable. | [email protected] | 6.9 | 0.04% | 2025-08-28 | 2025-09-08 |
| CVE-2025-54540 | QuickCMS is vulnerable to Reflected XSS via sSort parameter in admin's panel functionality. A malicious attacker can craft a specially crafted URL that, when opened, results in arbitrary JavaScript execution in the victim's browser. The vendor was notified early about this vulnerability, but didn't respond with the details of vulnerability or vulnerable version range. Only version 6.8 was tested and confirmed as vulnerable, other versions were not tested and might also be vulnerable. | [email protected] | 5.1 | 0.07% | 2025-08-28 | 2025-09-08 |
| CVE-2025-54174 | QuickCMS is vulnerable to Cross-Site Request Forgery in article creation functionality. Malicious attacker can craft special website, which when visited by the admin, will automatically send a POST request creating a malicious article with content defined by the attacker. The vendor was notified early about this vulnerability, but didn't respond with the details of vulnerability or vulnerable version range. Only version 6.8 was tested and confirmed as vulnerable, other versions were not tested | [email protected] | 5.1 | 0.02% | 2025-08-20 | 2025-09-08 |
| CVE-2025-54172 | QuickCMS is vulnerable to Stored XSS in sTitle parameter in page editor functionality. Malicious attacker with admin privileges can inject arbitrary HTML and JS into website, which will be rendered/executed when visiting edited page. Regular admin user is not able to inject any JS scripts into the page. The vendor was notified early about this vulnerability, but didn't respond with the details of vulnerability or vulnerable version range. Only version 6.8 was tested and confirmed as vulnerable, | [email protected] | 4.8 | 0.03% | 2025-08-20 | 2025-09-08 |
| CVE-2020-35754 | OpenSolution Quick.CMS < 6.7 and Quick.Cart < 6.7 allow an authenticated user to perform code injection (and consequently Remote Code Execution) via the input fields of the Language tab. | [email protected] | 7.2 | 14.46% | 2021-01-28 | 2024-11-21 |
| CVE-2012-3833 | Cross-site scripting (XSS) vulnerability in the default index page in admin/ in Quick.CMS 4.0 allows remote attackers to inject arbitrary web script or HTML via the p parameter. | [email protected] | 4.3 | 0.37% | 2012-07-03 | 2026-04-29 |
| CVE-2009-4121 | Multiple cross-site request forgery (CSRF) vulnerabilities in Quick.CMS 2.4 and Quick.CMS.Lite 2.4 allow remote attackers to hijack the authentication of the administrator for requests that (1) delete web pages via a p-delete action to admin.php, and possibly (2) delete products or (3) delete orders via unspecified vectors. NOTE: some of these details are obtained from third party information. | [email protected] | 6.8 | 0.19% | 2009-12-01 | 2026-04-23 |