Description
Quick.CMS deserializes user-controlled data received over plaintext HTTP without ensuring integrity or authenticity. This allows attackers to tamper with serialized payloads in transit and inject malicious objects. Because deserialization is performed without proper validation or class restrictions, crafted payloads can trigger dangerous magic methods (e.g., __wakeup() and __destruct()) and leverage gadget chains, resulting in arbitrary code execution. Exploitation is triggered automatically when an administrator accesses the admin panel.

When successfully exploited, this vulnerability allows attackers to execute arbitrary code on the server via manipulated serialized data transmitted over an unprotected channel.

This issue was mitigated by limiting the communication to HTTPS in a patch for version 6.8 published on 14.05.2026, deployments without this patch remain vulnerable.
Published: 2026-06-15
Score: 7.5 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Quick.CMS receives serialized data over unencrypted HTTP and does not validate or authenticate it. The deserialization routine accepts user‑controlled objects, allowing an attacker to modify the payload in transit and inject malicious objects that trigger PHP magic methods such as __wakeup() and __destruct(). This flaw, classified as CWE‑502 (Deserialization of Untrusted Data) and CWE‑94 (Improper Constraint on Operations with Update or Delete), enables arbitrary code execution on the server when an administrator accesses the admin panel, which automatically triggers the vulnerable deserialization.

Affected Systems

OpenSolution Quick.CMS versions prior to 6.8 are affected. The vendor released a patch on 14.05.2026 that limits communication to HTTPS; deployments that have not applied this patch remain vulnerable.

Risk and Exploitability

The CVSS score of 7.5 indicates a high severity issue. The EPSS score is not available, making it hard to estimate current exploitation likelihood. The vulnerability is not yet listed in the CISA KEV catalog. The primary attack vector is network‑based: an attacker can intercept or inject malicious serialized payloads over plaintext HTTP to the admin interface, requiring that the target user authenticate as an administrator. Because the flaw leads to remote code execution and is easy to prove, the risk to affected systems is significant if the patch is not applied.

Generated by OpenCVE AI on June 15, 2026 at 11:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the Quick.CMS 6.8 patch or upgrade to a newer version that enforces HTTPS
  • Configure the web server or load balancer to force HTTPS for all requests to the admin panel
  • Restrict administrator access to the application to trusted network segments or VPN tunnels to reduce exposure to unauthenticated HTTP traffic

Generated by OpenCVE AI on June 15, 2026 at 11:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 15 Jun 2026 12:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 15 Jun 2026 11:45:00 +0000

Type Values Removed Values Added
First Time appeared Opensolution
Opensolution quick.cms
Vendors & Products Opensolution
Opensolution quick.cms

Mon, 15 Jun 2026 10:00:00 +0000

Type Values Removed Values Added
Description Quick.CMS deserializes user-controlled data received over plaintext HTTP without ensuring integrity or authenticity. This allows attackers to tamper with serialized payloads in transit and inject malicious objects. Because deserialization is performed without proper validation or class restrictions, crafted payloads can trigger dangerous magic methods (e.g., __wakeup() and __destruct()) and leverage gadget chains, resulting in arbitrary code execution. Exploitation is triggered automatically when an administrator accesses the admin panel. When successfully exploited, this vulnerability allows attackers to execute arbitrary code on the server via manipulated serialized data transmitted over an unprotected channel. This issue was mitigated by limiting the communication to HTTPS in a patch for version 6.8 published on 14.05.2026, deployments without this patch remain vulnerable.
Title Insecure Deserialisation via Plaintext HTTP leading to Remote Code Execution in Quick.CMS
Weaknesses CWE-502
CWE-94
References
Metrics cvssV4_0

{'score': 7.5, 'vector': 'CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L'}

Subscriptions

Opensolution Quick.cms
cve-icon MITRE

Status: PUBLISHED

Assigner: CERT-PL

Published:

Updated: 2026-06-15T10:46:41.362Z

Reserved: 2026-06-10T10:55:47.646Z

Link: CVE-2026-11860

cve-icon Vulnrichment

Updated: 2026-06-15T10:46:34.767Z

cve-icon NVD

Status : Received

Published: 2026-06-15T10:16:27.870

Modified: 2026-06-15T10:16:27.870

Link: CVE-2026-11860

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-15T11:30:15Z

Weaknesses
  • CWE-502

    Deserialization of Untrusted Data

  • CWE-94

    Improper Control of Generation of Code ('Code Injection')