CISA added CVE-2026-45247 to the Known Exploited Vulnerabilities catalog on 2026-06-03, flagging a critical (CVSS 9.8) PHP object injection flaw in Mirasvit Full Page Cache Warmer for Magento 2 that allows unauthenticated remote code execution.
What Is It
CVE-2026-45247 is a deserialization of untrusted data vulnerability (CWE-502) in Mirasvit Full Page Cache Warmer for Magento 2. The module passes attacker-controlled input from the CacheWarmer cookie into PHP's native unserialize() function without restriction. By supplying a crafted serialized PHP object, an unauthenticated remote attacker can chain gadget classes available in Magento and its dependencies to execute arbitrary code on the server. No authentication, privileges, or user interaction are required (AV:N/AC:L/PR:N/UI:N), yielding a CVSS 3.1 base score of 9.8 and a CVSS 4.0 score of 9.3; both rated Critical.
Why It Matters
CISA's KEV listing indicates the vulnerability has been observed in active exploitation, though the agency has not published specifics on scope or attribution. Magento storefronts are a long-standing target for skimmer and webshell operators, and an unauthenticated RCE delivered through a single cookie is trivial to weaponize at scale. Successful exploitation gives full confidentiality, integrity, and availability impact on the host (C:H/I:H/A:H), which on an e-commerce server typically translates to payment card theft, persistent backdoors, and full store compromise. Known ransomware use is currently listed as "Unknown" by CISA.
What's Vulnerable
- Product: Mirasvit Full Page Cache Warmer (
mirasvit/module-cache-warmer) for Magento 2 - Affected versions: all releases prior to 1.11.12
- CPE:
cpe:2.3:a:mirasvit:full_page_cache_warmer:*:*:*:*:*:magento:*:* - Attack surface: the
CacheWarmerHTTP cookie, reachable on any internet-exposed storefront running the module
Patch Status
Mirasvit has shipped a fixed release in version 1.11.12; operators should upgrade immediately per the vendor changelog. CISA requires federal civilian agencies to apply mitigations, follow BOD 22-01 guidance for cloud services, or discontinue use of the product by 2026-06-06: a three-day remediation window that reflects the severity and reported exploitation activity. Private-sector Magento operators should treat this deadline as the floor, not the ceiling.