Deserialization Flaw in Quick.CMS Exposes Users to Code Execution Threats
CVE-2026-11860

7.5HIGH

Key Information:

Vendor: Opensolution
Status: Quick.cms
Vendor: CVE Published:; 15 June 2026

🔔 Create Opensolution Vulnerability Alert

What is CVE-2026-11860?

Quick.CMS is vulnerable to a deserialization flaw that allows attackers to manipulate serialized data transferred over unprotected HTTP channels. Unsanitized user-controlled data could be modified, enabling the execution of arbitrary code when an administrator accesses the admin panel. Successful exploitation can occur without necessary validation or restrictions, exposing the server to significant risks. A patch enforcing HTTPS communication was released in version 6.8 to mitigate this vulnerability, but systems that do not implement this update remain at risk.

Affected Version(s)

Quick.CMS 0 <= 6.8

References

https://cert.pl/posts/2026/06/CVE-2026-11860/

third-party-advisory

https://opensolution.org/

product

CVSS V4

Score:

7.5

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Adjacent Network

Attack Complexity:

Low

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 15, 2026
Vulnerability Reserved
Jun 10, 2026

Credit

Arkadiusz Marta

CVE-2026-11860 Data

JSON