What is CVE-2026-45247?
Mirasvit Full Page Cache Warmer for Magento 2 before version 1.11.12 contains a PHP object injection vulnerability that allows unauthenticated attackers to achieve remote code execution by supplying a crafted serialized PHP object in the CacheWarmer cookie. Attackers can exploit the unrestricted call to PHP's native unserialize() function combined with gadget chains available in Magento and its dependencies to execute arbitrary code on the server.
CISA Known Exploited Vulnerability
Mirasvit Full Page Cache Warmer Deserialization of Untrusted Data Vulnerability
Affected product
Mirasvit Full Page Cache Warmer
Remediation Steps
- Consult CISA Known Exploited Vulnerabilities catalog entry for full product and version details
- Apply vendor security patch
- Verify patch deployment across affected systems
- Review security logs for evidence of exploitation
References
- https://sansec.io/research/mirasvit-cache-warmer-object-injection
- https://www.vulncheck.com/advisories/mirasvit-cache-warmer-for-magento-php-object-injection
- https://www.imperva.com/blog/imperva-customers-protected-against-cve-2026-45247-in-mirasvit-full-page-cache-warmer-for-magento/
- https://nvd.nist.gov/vuln/detail/CVE-2026-45247
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog
Coverage on defend.network
- Vulnerability Priority Report – Week 2 of June 2026 (June 8 – 14)
- Vulnerability Priority Report – Week 1 of June 2026 (June 1 – 7)
🤖 This CVE page is generated by defend.network from NVD, CISA KEV, EPSS, and our verified daily briefings. Severity and exploitation data come from official sources; always verify remediation steps against the official vendor advisory before acting in production.