CVE-2026-11860: CWE-502 Deserialization of Untrusted Data in OpenSolution Quick.CMS
Quick.CMS suffers from a deserialization vulnerability where user-controlled serialized data received over plaintext HTTP is processed without integrity or authenticity checks. This allows attackers to tamper with the serialized payloads in transit and inject malicious objects that can trigger dangerous PHP magic methods, potentially leading to arbitrary code execution. The vulnerability is triggered automatically when an administrator accesses the admin panel. A patch was released in version 6.8 that mitigates the issue by enforcing HTTPS communication. Deployments without this patch remain vulnerable.
AI Analysis
Technical Summary
CVE-2026-11860 is a deserialization of untrusted data vulnerability (CWE-502) in OpenSolution Quick.CMS. The product deserializes user-controlled data transmitted over unencrypted HTTP without verifying its integrity or authenticity. This enables attackers to modify serialized payloads in transit and inject malicious objects. Because deserialization occurs without proper validation or class restrictions, crafted payloads can invoke PHP magic methods such as __wakeup() and __destruct(), and leverage gadget chains to achieve arbitrary code execution on the server. Exploitation occurs automatically when an administrator accesses the admin panel. The issue was mitigated by enforcing HTTPS communication in Quick.CMS version 6.8, released on May 14, 2026. Versions prior to 6.8 remain vulnerable.
Potential Impact
Successful exploitation allows remote attackers to execute arbitrary code on the server by manipulating serialized data transmitted over an unprotected HTTP channel. This compromises server integrity and can lead to full system compromise. The attack requires an administrator to access the admin panel, which triggers deserialization of the malicious payload.
Mitigation Recommendations
A patch is available that mitigates this vulnerability by enforcing HTTPS communication, released in Quick.CMS version 6.8 on May 14, 2026. Deployments should upgrade to version 6.8 or later to remediate this issue. Until patched, avoid using the admin panel over unencrypted HTTP channels to reduce risk.
CVE-2026-11860: CWE-502 Deserialization of Untrusted Data in OpenSolution Quick.CMS
Description
Quick.CMS suffers from a deserialization vulnerability where user-controlled serialized data received over plaintext HTTP is processed without integrity or authenticity checks. This allows attackers to tamper with the serialized payloads in transit and inject malicious objects that can trigger dangerous PHP magic methods, potentially leading to arbitrary code execution. The vulnerability is triggered automatically when an administrator accesses the admin panel. A patch was released in version 6.8 that mitigates the issue by enforcing HTTPS communication. Deployments without this patch remain vulnerable.
CVSS v4.0
Score 7.5high
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-11860 is a deserialization of untrusted data vulnerability (CWE-502) in OpenSolution Quick.CMS. The product deserializes user-controlled data transmitted over unencrypted HTTP without verifying its integrity or authenticity. This enables attackers to modify serialized payloads in transit and inject malicious objects. Because deserialization occurs without proper validation or class restrictions, crafted payloads can invoke PHP magic methods such as __wakeup() and __destruct(), and leverage gadget chains to achieve arbitrary code execution on the server. Exploitation occurs automatically when an administrator accesses the admin panel. The issue was mitigated by enforcing HTTPS communication in Quick.CMS version 6.8, released on May 14, 2026. Versions prior to 6.8 remain vulnerable.
Potential Impact
Successful exploitation allows remote attackers to execute arbitrary code on the server by manipulating serialized data transmitted over an unprotected HTTP channel. This compromises server integrity and can lead to full system compromise. The attack requires an administrator to access the admin panel, which triggers deserialization of the malicious payload.
Mitigation Recommendations
A patch is available that mitigates this vulnerability by enforcing HTTPS communication, released in Quick.CMS version 6.8 on May 14, 2026. Deployments should upgrade to version 6.8 or later to remediate this issue. Until patched, avoid using the admin panel over unencrypted HTTP channels to reduce risk.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- CERT-PL
- Date Reserved
- 2026-06-10T10:55:47.646Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a2fcd370b89be6888a76e03
Added to database: 6/15/2026, 10:00:23 AM
Last enriched: 6/15/2026, 10:15:12 AM
Last updated: 6/15/2026, 11:01:15 AM
Views: 4
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.