CVE-2026-11860

Vulnerability

Quick.CMS deserializes user-controlled data received over plaintext HTTP without ensuring integrity or authenticity. This allows attackers to tamper with serialized payloads in transit and inject malicious objects. Because deserialization is performed without proper validation or class restrictions, crafted payloads can trigger dangerous magic methods (e.g., __wakeup() and __destruct()) and leverage gadget chains, resulting in arbitrary code execution [1]. All versions up to and including 6.8 (before the patch of 14.05.2026) are affected [1][2].

Exploitation

An attacker needs network access to intercept or modify HTTP traffic between the Quick.CMS server and the administrator's browser. The attacker crafts a malicious serialized payload and injects it into the plaintext HTTP session. Exploitation is triggered automatically when an administrator accesses the admin panel, as the malicious deserialized objects execute without additional user interaction [1].

Impact

Successful exploitation allows the attacker to execute arbitrary code on the server [1]. This leads to full compromise of the Quick.CMS installation, including disclosure, modification, or deletion of data, and potentially further lateral movement within the hosting environment.

Mitigation

The vendor released Quick.CMS version 6.8 on 14.05.2026, which mitigates the issue by limiting communication to HTTPS, ensuring integrity and authenticity of serialized data [1][2]. Deployments without this patch remain vulnerable. No workaround is documented for older versions. The vulnerability is not known to be listed in CISA's Known Exploited Vulnerabilities catalog as of the publication date [1].