CVE-2026-45247
Mirasvit Cache Warmer for Magento < 1.11.12 PHP Object Injection
CVSS Score
9.8
EPSS Score
0.1%
EPSS Percentile
33th
Mirasvit Full Page Cache Warmer for Magento 2 before version 1.11.12 contains a PHP object injection vulnerability that allows unauthenticated attackers to achieve remote code execution by supplying a crafted serialized PHP object in the CacheWarmer cookie. Attackers can exploit the unrestricted call to PHP's native unserialize() function combined with gadget chains available in Magento and its dependencies to execute arbitrary code on the server.
| CWE | CWE-502 |
| Vendor | mirasvit |
| Product | full page cache warmer for magento 2 |
| Published | May 26, 2026 |
| Last Updated | Jun 4, 2026 |
โ ๏ธ Actively Exploited โ Act Now
Get instant alerts for mirasvit full page cache warmer for magento 2
This vulnerability is actively exploited in the wild. Set up free real-time alerts so you're first to know about threats like CVE-2026-45247.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
Affected Versions
Mirasvit / Full Page Cache Warmer for Magento 2
0 < 1.11.12
References
sansec.io: https://sansec.io/research/mirasvit-cache-warmer-object-injection mirasvit.com: https://mirasvit.com/package/changelog/?package=mirasvit/module-cache-warmer vulncheck.com: https://www.vulncheck.com/advisories/mirasvit-cache-warmer-for-magento-php-object-injection imperva.com: https://www.imperva.com/blog/imperva-customers-protected-against-cve-2026-45247-in-mirasvit-full-page-cache-warmer-for-magento/ cisa.gov: https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-45247
Credits
Sansec