CVE-2026-45247

Vulnerability

The Mirasvit Full Page Cache Warmer for Magento 2 versions before 1.11.12 contains an unauthenticated PHP object injection vulnerability (CWE-502). The extension reads a CacheWarmer cookie from every storefront request and passes a portion of its value directly to PHP's native unserialize() function without any validation or class restriction [1][2][3]. This unserialize call occurs on every request, not only on cache warmer traffic, and requires no authentication or special configuration [2].

Exploitation

An attacker sends an HTTP request to any storefront endpoint with a maliciously crafted CacheWarmer cookie containing a serialized PHP object. The extension deserializes the attacker-controlled data using unserialize(). By leveraging gadget chains already present in Magento, Adobe Commerce, or their dependencies, the attacker can trigger arbitrary code execution [2][3]. No authentication or special network position is required; the attack can be performed over the public internet.

Impact

Successful exploitation results in remote code execution on the server under the context of the web application, typically with full privileges of the Magento/Adobe Commerce process. The attacker can read, modify, or delete sensitive data, install backdoors, pivot to internal networks, and potentially compromise customer credentials and payment information. The vulnerability is assigned a CVSS v3.1 score of 9.8 (Critical) [3].

Mitigation

Mirasvit released the patched version 1.11.12 on May 25, 2026, which fixes the PHP object injection vulnerability in the session cookie deserialization logic [1]. All users should update to version 1.11.12 or later immediately. There is no known workaround for unpatched versions. The vulnerability is not currently listed in CISA's Known Exploited Vulnerabilities (KEV) catalog. Sansec reports that their Shield customers were protected as of April 24, 2026, when the flaw was discovered [2].