CVE-2026-45247 CRITICAL

CVE-2026-45247: Mirasvit Cache Warmer for Magento < 1.11.12 PHP Object Injection

Vendor Mirasvit

Product Full Page Cache Warmer for Magento 2

Weakness CWE-502 · Unsafe deserialization

Published May 26, 2026

Last update June 4, 2026

View on NVD All CVEs

CVSS base score

9.3/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction None

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

What the vulnerability does

Description

Mirasvit Full Page Cache Warmer for Magento 2 before version 1.11.12 contains a PHP object injection vulnerability that allows unauthenticated attackers to achieve remote code execution by supplying a crafted serialized PHP object in the CacheWarmer cookie. Attackers can exploit the unrestricted call to PHP's native unserialize() function combined with gadget chains available in Magento and its dependencies to execute arbitrary code on the server.

Key dates

Disclosure timeline

May 26, 2026 CVE published

June 4, 2026 Record updated

Identifiers

CVE CVE-2026-45247

CWE CWE-502

CVSS 9.3 / CRITICAL

Affected versions

Vendor Mirasvit

Product Full Page Cache Warmer for Magento 2

Affected < 1.11.12