CVE-2026-11860
published 2026-06-15CVE-2026-11860: Quick.CMS deserializes user-controlled data received over plaintext HTTP without ensuring integrity or authenticity. This allows attackers to tamper with…
PriorityP340high7.5CVSS 4.0
AVAACLATPPRNUIPVCHVIHVAHSCLSILSALEXCRXIRXARXMAVXMACXMATXMPRXMUIXMVCXMVIXMVAXMSCXMSIXMSAXSXAUXRXVXREXUX
EPSS
0.24%
14.4th percentile
Quick.CMS deserializes user-controlled data received over plaintext HTTP without ensuring integrity or authenticity. This allows attackers to tamper with serialized payloads in transit and inject malicious objects. Because deserialization is performed without proper validation or class restrictions, crafted payloads can trigger dangerous magic methods (e.g., __wakeup() and __destruct()) and leverage gadget chains, resulting in arbitrary code execution. Exploitation is triggered automatically when an administrator accesses the admin panel.
When successfully exploited, this vulnerability allows attackers to execute arbitrary code on the server via manipulated serialized data transmitted over an unprotected channel.
This issue was mitigated by limiting the communication to HTTPS in a patch for version 6.8 published on 14.05.2026, deployments without this patch remain vulnerable.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| opensolution | quick.cms | <= 6.8 | — |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
OpenSolution Quick.CMS up to 6.8 __wakeup/__destruct deserialization
vuldb·2026-06-15·CVSS 7.5
CVE-2026-11860 [HIGH] OpenSolution Quick.CMS up to 6.8 __wakeup/__destruct deserialization
A vulnerability was found in OpenSolution Quick.CMS up to 6.8 and classified as problematic. This affects the function __wakeup/__destruct. The manipulation results in deserialization.
This vulnerability was named CVE-2026-11860. The attack may be performed from remote. There is no available exploit.
It is best practice to apply a patch to resolve this issue.
GHSA
Quick.CMS deserializes user-controlled data received over plaintext HTTP without ensuring integrity or authenticity.
ghsa_unreviewed·2026-06-15
CVE-2026-11860 [HIGH] CWE-94 Quick.CMS deserializes user-controlled data received over plaintext HTTP without ensuring integrity or authenticity.
Quick.CMS deserializes user-controlled data received over plaintext HTTP without ensuring integrity or authenticity. This allows attackers to tamper with serialized payloads in transit and inject malicious objects. Because deserialization is performed without proper validation or class restrictions, crafted payloads can trigger dangerous magic methods (e.g., __wakeup() and __destruct()) and leverage gadget chains, resulting in arbitrary code execution. Exploitation is triggered automatically when an administrator accesses the admin panel.
When successfully exploited, this vulnerability allows attackers to execute arbitrary code on the server via manipulated serialized data transmitted over an unprotected channel.
This issue was mitigated by limiting the communication to HTTPS in a patch
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-06-15
Published