CVE-2026-11860 is a high-severity vulnerability in Quick.CMS that allows attackers to execute arbitrary code via deserialization of user-controlled data. The vulnerability has a CVSS score of 7.5 and was published on June 15, 2026. The issue arises from Quick.CMS deserializing user-controlled data received over plaintext HTTP without ensuring integrity or authenticity, allowing attackers to tamper with se [truncated]
QuickCMS versions prior to 6.8 (patched 2026-05-15) fetch plugin lists over unencrypted HTTP, enabling network‑positioned attackers to inject malicious HTML/JavaScript via a man‑in‑the‑middle attack against the opensolution.org endpoint. When an administrative user visits the plugin page, the attacker‑supplied payload is retrieved, rendered, and executed in the user's browser context. The CVSS 4.0 vector [truncated]
Session fixation vulnerability in QuickCMS allows pre-authentication session ID assignment that persists after login, enabling session hijacking attacks.
CVE-2021-47981 is a reported cross-site scripting issue in Quick.CMS 6.7 affecting the sliders form. The vulnerability is described as allowing an authenticated attacker to submit a malicious sDescription value that is later rendered as JavaScript in a victim browser, including through CSRF-style submission to the admin.php?p=sliders-form endpoint. The NVD record currently lists the issue as Medium severi [truncated]