CVE-2026-11860

Gravedad CVSS v4.0:

ALTA

Tipo:

CWE-94 Control incorrecto de generación de código (Inyección de código)

Fecha de publicación:

15/06/2026

Última modificación:

15/06/2026

Descripción

*** Pendiente de traducción *** Quick.CMS deserializes user-controlled data received over plaintext HTTP without ensuring integrity or authenticity. This allows attackers to tamper with serialized payloads in transit and inject malicious objects. Because deserialization is performed without proper validation or class restrictions, crafted payloads can trigger dangerous magic methods (e.g., __wakeup() and __destruct()) and leverage gadget chains, resulting in arbitrary code execution. Exploitation is triggered automatically when an administrator accesses the admin panel.<br /> <br /> When successfully exploited, this vulnerability allows attackers to execute arbitrary code on the server via manipulated serialized data transmitted over an unprotected channel.<br /> <br /> This issue was mitigated by limiting the communication to HTTPS in a patch for version 6.8 published on 14.05.2026, deployments without this patch remain vulnerable.

Impacto

Vector 4.0

CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L CVSS v4.0 Severidad y Métricas:

Puntuación base: 7.50 ALTA
Vector: CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L

Vector de acceso (AV): Red adyacente
Complejidad de acceso (AC): Bajo
Attack Requirements (AT): Present
Privilegios Requeridos (PR): Ninguno
Interacción del usuario (UI): Passsive
Confidentiality (VC): Alto
Integrity (VI): Alto
Availability (VA): Alto
Confidentiality (SC): Bajo
Integrity (SI): Bajo
Availability (SA): Bajo

Puntuación base 4.0

7.50

Gravedad 4.0

ALTA

CVE-2026-11860

Descripción

Impacto

Referencias a soluciones, herramientas e información