Cyber Resilience

CVE-2026-45247

CriticalCISA KEVActive ExploitationPublic PoCRCEUpdated

Published: 26 May 2026

Published
26 May 2026
Modified
03 June 2026
KEV Added
03 June 2026
Patch
CVSS Score v4 9.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.2755 97.8th percentile
Risk Priority 100 floored blend · peak EPSS

Summary

CVE-2026-45247 is a critical-severity Deserialization of Untrusted Data (CWE-502) vulnerability in Mirasvit Full Page Cache Warmer. Its CVSS base score is 9.3 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 2.2% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

Mirasvit Full Page Cache Warmer for Magento 2 before version 1.11.12 contains a PHP object injection vulnerability stemming from an unrestricted call to PHP's native unserialize() function. Attackers can supply a crafted serialized object via the CacheWarmer cookie, which Magento and its dependencies then deserialize, enabling gadget-chain-based remote code execution on the server. The flaw is tracked as CWE-502 and carries a CVSS 4.0 score of 9.3.

Unauthenticated remote attackers can exploit the issue over the network without user interaction or credentials. Successful exploitation grants arbitrary code execution, allowing full compromise of the affected Magento installation including data access, modification, and service disruption.

Vendor and third-party advisories direct users to upgrade to Mirasvit Full Page Cache Warmer 1.11.12 or later, as listed in the package changelog. The vulnerability appears in the CISA Known Exploited Vulnerabilities catalog, and protective guidance has been issued by security vendors including Imperva and Sansec.

EPSS remains flat at a peak and current value of 0.0615 with no material increase after disclosure.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Mirasvit Full Page Cache Warmer for Magento 2 before version 1.11.12 contains a PHP object injection vulnerability that allows unauthenticated attackers to achieve remote code execution by supplying a crafted serialized PHP object in the CacheWarmer cookie. Attackers can exploit…

more

the unrestricted call to PHP's native unserialize() function combined with gadget chains available in Magento and its dependencies to execute arbitrary code on the server.

CWE(s)
KEV Date Added
03 June 2026

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Unauthenticated remote code execution via deserialization in a public-facing Magento extension directly maps to exploitation of a public web application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-0994Shared CWE-502both on KEV
CVE-2025-59287Shared CWE-502both on KEV
CVE-2025-26399Shared CWE-502both on KEV
CVE-2026-20963Shared CWE-502both on KEV
CVE-2025-53770Shared CWE-502both on KEV
CVE-2025-40551Shared CWE-502both on KEV
CVE-2026-20131Shared CWE-502both on KEV
CVE-2025-55182Shared CWE-502both on KEV
CVE-2025-24016Shared CWE-502both on KEV
CVE-2025-23006Shared CWE-502both on KEV

Affected Assets

mirasvit
full page cache warmer
≤ 1.11.12

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation and sanitization of untrusted input (CacheWarmer cookie) before any deserialization, blocking the unrestricted unserialize() call that enables gadget-chain RCE.

prevent

Mandates timely application of the vendor patch (upgrade to 1.11.12+) that removes the vulnerable unserialize usage in the Mirasvit module.

detect

Requires integrity verification of software and inputs, enabling detection of unauthorized code or object tampering introduced via the malicious serialized cookie.

References