PatchSiren cyber security CVE debrief
CVE-2026-11860 OpenSolution CVE debrief
CVE-2026-11860 is a high-severity vulnerability in Quick.CMS that allows attackers to execute arbitrary code via deserialization of user-controlled data. The vulnerability has a CVSS score of 7.5 and was published on June 15, 2026. The issue arises from Quick.CMS deserializing user-controlled data received over plaintext HTTP without ensuring integrity or authenticity, allowing attackers to tamper with serialized payloads in transit and inject malicious objects.
- Vendor
- OpenSolution
- Product
- Quick.CMS
- CVSS
- HIGH 7.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-15
- Original CVE updated
- 2026-06-15
- Advisory published
- 2026-06-15
- Advisory updated
- 2026-06-15
Who should care
Administrators and users of Quick.CMS version prior to 6.8 should be aware of this vulnerability and take necessary actions to mitigate it.
Technical summary
The vulnerability is caused by Quick.CMS deserializing user-controlled data received over plaintext HTTP without ensuring integrity or authenticity. This allows attackers to tamper with serialized payloads in transit and inject malicious objects, potentially leading to arbitrary code execution.
Defensive priority
High
Recommended defensive actions
- Limit communication to HTTPS by implementing a patch for version 6.8 or later.
- Ensure that all communication with the admin panel is done over a secure channel (HTTPS).
Evidence notes
The vendor of the affected product is currently listed as 'Unknown Vendor'. However, there is evidence suggesting the product might be related to 'Opensolution'.
Official resources
CVE-2026-11860 was published on June 15, 2026, and has a CVSS score of 7.5, indicating a high severity vulnerability.