Critical severity9.8CISA KEVNVD Advisory· Published May 26, 2026· Updated Jun 3, 2026
CVE-2026-45247
CVE-2026-45247
Description
Mirasvit Full Page Cache Warmer for Magento 2 before version 1.11.12 contains a PHP object injection vulnerability that allows unauthenticated attackers to achieve remote code execution by supplying a crafted serialized PHP object in the CacheWarmer cookie. Attackers can exploit the unrestricted call to PHP's native unserialize() function combined with gadget chains available in Magento and its dependencies to execute arbitrary code on the server.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
2- Range: <1.11.12
- Range: <1.11.12
Patches
Vulnerability mechanics
References
5- sansec.io/research/mirasvit-cache-warmer-object-injectionnvdThird Party Advisory
- www.imperva.com/blog/imperva-customers-protected-against-cve-2026-45247-in-mirasvit-full-page-cache-warmer-for-magento/nvdThird Party Advisory
- www.vulncheck.com/advisories/mirasvit-cache-warmer-for-magento-php-object-injectionnvdThird Party Advisory
- mirasvit.com/package/changelog/nvdRelease Notes
- www.cisa.gov/known-exploited-vulnerabilities-catalognvdUS Government Resource
News mentions
5- CISA Warns of critical Magento Cache Warmer RCE flaw Exploited in AttacksCyber Security News · Jun 4, 2026
- Mirasvit Vulnerability Exploited to Execute Code on Magento ServersSecurityWeek · Jun 4, 2026
- CISA Adds Exploited Magento RCE Flaw CVE-2026-45247 to KEV CatalogThe Hacker News · Jun 3, 2026
- Critical Magento Cache Plugin Vulnerability Enables Remote Code Execution AttacksCyber Security News · Jun 1, 2026
- CISA Adds One Known Exploited Vulnerability to CatalogCISA Alerts