CVE-2026-11860
Received Received - Intake
Deserialization Flaw in Quick.CMS Leads to RCE

Publication date: 2026-06-15

Last updated on: 2026-06-15

Assigner: CERT.PL

Description
Quick.CMS deserializes user-controlled data received over plaintext HTTP without ensuring integrity or authenticity. This allows attackers to tamper with serialized payloads in transit and inject malicious objects. Because deserialization is performed without proper validation or class restrictions, crafted payloads can trigger dangerous magic methods (e.g., __wakeup() and __destruct()) and leverage gadget chains, resulting in arbitrary code execution. Exploitation is triggered automatically when an administrator accesses the admin panel. When successfully exploited, this vulnerability allows attackers to execute arbitrary code on the server via manipulated serialized data transmitted over an unprotected channel. This issue was mitigated by limiting the communication to HTTPS in a patch for version 6.8 published on 14.05.2026, deployments without this patch remain vulnerable.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-15
Last Modified
2026-06-15
Generated
2026-06-15
AI Q&A
2026-06-15
EPSS Evaluated
N/A
NVD
CVE-2026-11860
EUVD
EUVD-2026-36703
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
opensolution quick.cms From 6.8 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
CWE-502 The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The vulnerability in Quick.CMS involves deserializing user-controlled data received over plaintext HTTP without verifying its integrity or authenticity.

Attackers can tamper with serialized payloads during transmission and inject malicious objects.

Because the deserialization process lacks proper validation or class restrictions, crafted payloads can trigger dangerous magic methods such as __wakeup() and __destruct(), enabling exploitation through gadget chains.

This leads to arbitrary code execution on the server when an administrator accesses the admin panel.

The issue was fixed in version 6.8 by enforcing HTTPS communication, but unpatched versions remain vulnerable.

Impact Analysis

This vulnerability allows attackers to execute arbitrary code on the server hosting Quick.CMS.

Successful exploitation can lead to full compromise of the server, including unauthorized access, data theft, data manipulation, or disruption of services.

Because the attack is triggered automatically when an administrator accesses the admin panel, it can be exploited remotely without direct interaction from the administrator.

Detection Guidance

This vulnerability involves deserialization of user-controlled data transmitted over plaintext HTTP without integrity or authenticity checks. Detection can focus on monitoring network traffic for unencrypted HTTP communication to the Quick.CMS admin panel, which is vulnerable if not patched.

Commands to detect this might include network traffic inspection tools to identify HTTP requests to the admin panel, for example using tcpdump or Wireshark to capture and analyze traffic on port 80.

  • tcpdump -i <interface> tcp port 80 and host <server_ip>
  • tshark -Y "http.request" -i <interface>

Additionally, checking the Quick.CMS version on the server can help identify if the patch limiting communication to HTTPS (version 6.8 or later) is applied.

Mitigation Strategies

The immediate mitigation step is to ensure that communication with Quick.CMS is limited to HTTPS only, as the vulnerability is exploited via unprotected HTTP channels.

Updating Quick.CMS to version 6.8 or later, which includes a patch restricting communication to HTTPS, is critical to prevent exploitation.

If updating immediately is not possible, consider blocking HTTP traffic to the admin panel and enforcing HTTPS via network or web server configuration.

Compliance Impact

This vulnerability allows attackers to execute arbitrary code on the server by tampering with serialized data transmitted over an unprotected HTTP channel. Such unauthorized code execution and data manipulation can lead to breaches of data confidentiality, integrity, and availability.

Because the vulnerability involves interception and modification of data in transit without integrity or authenticity checks, it undermines secure data handling practices required by standards like GDPR and HIPAA.

Exploitation could result in unauthorized access to sensitive personal or health information, potentially causing non-compliance with regulations that mandate protection of such data.

Mitigation by enforcing HTTPS communication (introduced in version 6.8) helps align with these compliance requirements by securing data in transit.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-11860. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart