Full Report
Deserialization of Untrusted Data vulnerability (CVE-2026-11860) has been found in Quick.CMS software.
Analysis Summary
# Vulnerability: Deserialization of Untrusted Data in Quick.CMS
## CVE Details
- **CVE ID**: CVE-2026-11860
- **CVSS Score**: Not explicitly provided in the article (High severity inferred)
- **CWE**: CWE-502: Deserialization of Untrusted Data
## Affected Systems
- **Products**: OpenSolution Quick.CMS
- **Versions**: All versions through 6.8 (until the patch published on 14.05.2026)
- **Configurations**: Deployments communicating over plaintext HTTP or those that have not applied the May 2026 security patch.
## Vulnerability Description
Quick.CMS suffers from a flaw where it deserializes user-controlled data received over plaintext HTTP without verifying its integrity or authenticity. Because the software does not implement validation or class restrictions during this process, an attacker can tamper with serialized payloads in transit. By injecting malicious objects, an attacker can trigger PHP "magic methods" (such as `__wakeup()` and `__destruct()`) to execute gadget chains, leading to Remote Code Execution (RCE).
## Exploitation
- **Status**: Reported via CERT Polska CVD program; PoC details are implied via technical description but not publicly linked in the article.
- **Complexity**: Low (Exploitation is triggered automatically when an administrator accesses the admin panel).
- **Attack Vector**: Network (specifically via Man-in-the-Middle or manipulation of unprotected HTTP traffic).
## Impact
- **Confidentiality**: High (Arbitrary code execution allows full data access)
- **Integrity**: High (Attackers can modify server files and data)
- **Availability**: High (Potential for full system takeover or service disruption)
## Remediation
### Patches
- **Quick.CMS v6.8 Patch (2026-05-14)**: OpenSolution released a patch for version 6.8 that mitigates the issue by enforcing HTTPS for communication, preventing the interception and manipulation of the serialized data in transit.
### Workarounds
- **Enforce HTTPS**: Manually ensure the admin panel and all site communication are forced over TLS/SSL to prevent transit tampering.
- **Access Control**: Restrict access to the admin panel to trusted IP addresses only until the patch is applied.
## Detection
- **Indicators of Compromise**: Monitor for unusual PHP objects or serialized strings in HTTP GET/POST requests and cookies.
- **Detection methods and tools**:
- Audit web server logs for unauthorized access to the admin panel.
- Use network security monitoring to detect plaintext HTTP traffic to CMS administrative endpoints.
## References
- **Vendor**: OpenSolution
- **CERT Polska Advisory**: hxxps[://]cert[.]pl/en/posts/2026/06/vulnerability-in-quick-cms/
- **CVE Record**: hxxps[://]www[.]cve[.]org/CVERecord?id=CVE-2026-11860
- **CWE-502**: hxxps[://]cwe[.]mitre[.]org/data/definitions/502[.]html