Skip to main content

Quick.CMS CVE-2026-11860

| EUVD-2026-36703 HIGH
Deserialization of Untrusted Data (CWE-502)
2026-06-15 CERT-PL GHSA-vwj5-2gmw-wjp6
Deserialization RCE Quick Cms
7.5
CVSS 4.0 · Vendor: CERT-PL
Share

Severity by source

Vendor (CERT-PL) PRIMARY
7.5 HIGH
CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
7.1 HIGH

Adjacent network MITM required (AV:A), tampering plus timing makes AC:H, attacker needs no auth (PR:N), admin must visit panel (UI:R), full RCE gives C/I/A:H.

3.1 AV:A/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
4.0 AV:A/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (CERT-PL).

CVSS VectorVendor: CERT-PL

CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Adjacent
Attack Complexity
Low
Privileges Required
None
User Interaction
P
Scope
X

Lifecycle Timeline

1
Analysis Generated
Jun 15, 2026 - 10:31 vuln.today

DescriptionCVE.org

Quick.CMS deserializes user-controlled data received over plaintext HTTP without ensuring integrity or authenticity. This allows attackers to tamper with serialized payloads in transit and inject malicious objects. Because deserialization is performed without proper validation or class restrictions, crafted payloads can trigger dangerous magic methods (e.g., __wakeup() and __destruct()) and leverage gadget chains, resulting in arbitrary code execution. Exploitation is triggered automatically when an administrator accesses the admin panel.

When successfully exploited, this vulnerability allows attackers to execute arbitrary code on the server via manipulated serialized data transmitted over an unprotected channel.

This issue was mitigated by limiting the communication to HTTPS in a patch for version 6.8 published on 14.05.2026, deployments without this patch remain vulnerable.

AnalysisAI

Unsafe PHP deserialization in Quick.CMS by OpenSolution lets an on-path attacker who can tamper with the plaintext HTTP channel inject malicious serialized objects that are deserialized when an administrator opens the admin panel, yielding arbitrary code execution on the server. The CVSS 4.0 vector (AV:A/AC:L/AT:P/PR:N/UI:P) reflects that exploitation requires adjacent-network MITM positioning plus an administrator session, and no public exploit identified at time of analysis. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Gain on-path position on admin's network
Delivery
Intercept plaintext HTTP to Quick.CMS
Exploit
Replace serialized blob with PHP gadget chain
Install
Admin opens admin panel
C2
Server calls unserialize() on tampered data
Execute
__wakeup/__destruct gadget executes
Impact
Arbitrary code runs as web user
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Exploitation requires three concrete conditions drawn from the description and CVSS 4.0 vector: (1) the Quick.CMS instance must be reachable over plaintext HTTP (the patch's mitigation is to force HTTPS, so any deployment still served over HTTP - or any HTTPS deployment with a downgrade path - is in scope); (2) the attacker must occupy an adjacent-network/on-path position able to modify HTTP traffic between an administrator and the server (AV:A, AT:P), e.g. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 base score of 7.5 reasonably captures the real-world risk: full confidentiality/integrity/availability impact on the vulnerable server (VC:H/VI:H/VA:H) is gated by adjacent-network attack vector (AV:A), an attack requirement (AT:P) - namely the ability to intercept and modify plaintext HTTP traffic - and passive user interaction (UI:P) in the form of an administrator visiting the panel. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker on the same network segment as a Quick.CMS administrator (for example a shared Wi-Fi, a hostile ISP hop, or a LAN compromised via ARP spoofing) intercepts the plaintext HTTP response delivered to the admin browser and replaces a serialized blob with a crafted PHP gadget chain. When the administrator's next request causes the server to deserialize that blob during normal admin-panel processing, __wakeup()/__destruct() chains fire and execute attacker-chosen PHP, giving code execution as the web user. …
Remediation Apply the vendor-released patch for Quick.CMS 6.8 published on 14.05.2026 (see https://opensolution.org/ and the CERT-PL advisory at https://cert.pl/posts/2026/06/CVE-2026-11860/), which mitigates the flaw by forcing the affected channel to HTTPS. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

24 hours: Inventory all Quick.CMS instances and identify those running versions prior to 6.8; assess whether admin panels are exposed to untrusted networks. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-11860 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy