CVE-2026-45247: Mirasvit Full Page Cache Warmer for Magento 2 before version 1.11.12 contains a PHP object injection vulnerability that allows unauthenticated attackers to…

CVE-2026-45247 [CRITICAL] Mirasvit Full Page Cache Warmer for Magento 2 up to 1.11.11 on Magento unserialize deserialization (EUVD-2026-31837) A vulnerability described as critical has been identified in Mirasvit Full Page Cache Warmer for Magento 2 up to 1.11.11 on Magento. Affected is the function unserialize. Executing a manipulation can lead to deserialization. This vulnerability is registered as CVE-2026-45247. It is possible to launch the attack remotely. Furthermore, an exploit is available. Upgrading the affected component is recommended.

CVE-2026-45247 [CRITICAL] CWE-502 GHSA-rg8p-9rpg-r32p: Mirasvit Full Page Cache Warmer for Magento 2 before version 1 Mirasvit Full Page Cache Warmer for Magento 2 before version 1.11.12 contains a PHP object injection vulnerability that allows unauthenticated attackers to achieve remote code execution by supplying a crafted serialized PHP object in the CacheWarmer cookie. Attackers can exploit the unrestricted call to PHP's native unserialize() function combined with gadget chains available in Magento and its dependencies to execute arbitrary code on the server.

CVE-2026-45247 [CRITICAL] Deserialization of Untrusted Data Deserialization of Untrusted Data Mirasvit Full Page Cache Warmer for Magento 2 before version 1.11.12 contains a PHP object injection vulnerability that allows unauthenticated attackers to achieve remote code execution by supplying a crafted serialized PHP object in the CacheWarmer cookie. Attackers can exploit the unrestricted call to PHP's native unserialize() function combined with gadget chains available in Magento and its dependencies to execute arbitrary code on the server. Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable. Exploitation References: https://www.imperva.com/blog/imperva-customers-protected-against-cve-2026-45247-in-mirasvit-full-page-cache-warmer-for-magento/

CVE-2026-45247 [CRITICAL] CWE-502 Mirasvit Full Page Cache Warmer Deserialization of Untrusted Data Vulnerability Vulnerability: Mirasvit Full Page Cache Warmer Deserialization of Untrusted Data Vulnerability Affected: Mirasvit Mirasvit Full Page Cache Warmer Mirasvit Full Page Cache Warmer contains a deserialization of untrusted data vulnerability that could allow unauthenticated attackers to achieve remote code execution by supplying a crafted serialized PHP object in the CacheWarmer cookie. Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable. Notes: https://mirasvit.com/package/changelog/?package=mirasvit/module-cache-warmer ; https://nvd.nist.gov/vuln/detail/CVE-2026-45247 Remediation Due Date: 2026-06-06

CVE-2026-45247 [CRITICAL] CISA Adds Exploited Magento RCE Flaw CVE-2026-45247 to KEV Catalog Home Threat Intelligence Vulnerabilities Cyber Attacks Webinars Expert Insights Awards Webinars Awards Free eBooks About THN Jobs Advertise with us ## CISA Adds Exploited Magento RCE Flaw CVE-2026-45247 to KEV Catalog The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Wednesday added a critical flaw impacting Mirasvit Cache Warmer, a popular Magento full-page cache extension, to its Known Exploited Vulnerabilities (KEV) catalog, following reports of active exploitation in the wild. The vulnerability, tracked as CVE-2026-45247 (CVSS score: 9.8), is a case of deserialization of untrusted data that could be exploited to execute arbitrary PHP code on an affected server. "Mirasvit Full Page Cache Warmer contains a deserialization of untrusted data vulnerabilit