CVE-2026-45247
Published: 26 May 2026
Summary
CVE-2026-45247 is a critical-severity Deserialization of Untrusted Data (CWE-502) vulnerability in Mirasvit Full Page Cache Warmer. Its CVSS base score is 9.3 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 2.2% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
Mirasvit Full Page Cache Warmer for Magento 2 before version 1.11.12 contains a PHP object injection vulnerability stemming from an unrestricted call to PHP's native unserialize() function. Attackers can supply a crafted serialized object via the CacheWarmer cookie, which Magento and its dependencies then deserialize, enabling gadget-chain-based remote code execution on the server. The flaw is tracked as CWE-502 and carries a CVSS 4.0 score of 9.3.
Unauthenticated remote attackers can exploit the issue over the network without user interaction or credentials. Successful exploitation grants arbitrary code execution, allowing full compromise of the affected Magento installation including data access, modification, and service disruption.
Vendor and third-party advisories direct users to upgrade to Mirasvit Full Page Cache Warmer 1.11.12 or later, as listed in the package changelog. The vulnerability appears in the CISA Known Exploited Vulnerabilities catalog, and protective guidance has been issued by security vendors including Imperva and Sansec.
EPSS remains flat at a peak and current value of 0.0615 with no material increase after disclosure.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-31837
Vulnerability details
Mirasvit Full Page Cache Warmer for Magento 2 before version 1.11.12 contains a PHP object injection vulnerability that allows unauthenticated attackers to achieve remote code execution by supplying a crafted serialized PHP object in the CacheWarmer cookie. Attackers can exploit…
more
the unrestricted call to PHP's native unserialize() function combined with gadget chains available in Magento and its dependencies to execute arbitrary code on the server.
- CWE(s)
- KEV Date Added
- 03 June 2026
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Unauthenticated remote code execution via deserialization in a public-facing Magento extension directly maps to exploitation of a public web application.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation and sanitization of untrusted input (CacheWarmer cookie) before any deserialization, blocking the unrestricted unserialize() call that enables gadget-chain RCE.
Mandates timely application of the vendor patch (upgrade to 1.11.12+) that removes the vulnerable unserialize usage in the Mirasvit module.
Requires integrity verification of software and inputs, enabling detection of unauthorized code or object tampering introduced via the malicious serialized cookie.