Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1336 CNY

100%

CVE-2026-11860— Insecure Deserialisation via Plaintext HTTP leading to Remote Code Execution in Quick.CMS

AI Predicted 9.8 Difficulty: Easy EPSS 0.24% · P14

Affected Version Matrix 1

VendorProductVersion RangeStatus
OpenSolutionQuick.CMS≤ 6.8affected
Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2026-11860

Vulnerability Information

Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title
Insecure Deserialisation via Plaintext HTTP leading to Remote Code Execution in Quick.CMS
Source: NVD (National Vulnerability Database)
Vulnerability Description
Quick.CMS deserializes user-controlled data received over plaintext HTTP without ensuring integrity or authenticity. This allows attackers to tamper with serialized payloads in transit and inject malicious objects. Because deserialization is performed without proper validation or class restrictions, crafted payloads can trigger dangerous magic methods (e.g., __wakeup() and __destruct()) and leverage gadget chains, resulting in arbitrary code execution. Exploitation is triggered automatically when an administrator accesses the admin panel. When successfully exploited, this vulnerability allows attackers to execute arbitrary code on the server via manipulated serialized data transmitted over an unprotected channel. This issue was mitigated by limiting the communication to HTTPS in a patch for version 6.8 published on 14.05.2026, deployments without this patch remain vulnerable.
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
可信数据的反序列化
Source: NVD (National Vulnerability Database)
Vulnerability Title
OpenSolution Quick.CMS 反序列化漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
OpenSolution quick.cms是OpenSolution组织开源的一个内容管理系统。 OpenSolution Quick.CMS 6.8之前版本存在安全漏洞,该漏洞源于在HTTP上传输反序列化数据时未验证数据完整性和真实性,可能导致攻击者在传输过程中篡改序列化有效载荷并注入恶意对象。由于反序列化没有正确验证或类限制,特制有效载荷可能触发危险魔法方法并结合小工具链,导致远程代码执行。当管理员访问管理面板时,利用会自动触发。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)

Affected Products

VendorProductAffected VersionsCPESubscribe
OpenSolutionQuick.CMS 0 ~ 6.8 -

II. Public POCs for CVE-2026-11860

#POC DescriptionSource LinkShenlong Link
AI-Generated POCPremium

No public POC found.

Login to generate AI POC

III. Intelligence Information for CVE-2026-11860

登录查看更多情报信息。

Security Blog Posts for CVE-2026-11860 (1)

Vendor Pages for CVE-2026-11860 (1)

IV. Related Vulnerabilities

V. Comments for CVE-2026-11860

No comments yet


Leave a comment