U.S. CISA adds Mirasvit Full Page Cache Warmer flaw to its Known Exploited Vulnerabilities catalog

Pierluigi Paganini
June 04, 2026

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds Mirasvit Full Page Cache Warmer flaw to its Known Exploited Vulnerabilities catalog.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added Mirasvit Full Page Cache Warmer flaw, tracked as CVE-2026-45247 (CVSS ver 4.0 score of 9.3), to its Known Exploited Vulnerabilities (KEV) catalog.

The CVE-2026-45247 flaw is a critical PHP object injection vulnerability affecting Mirasvit Full Page Cache Warmer for Magento 2 before version 1.11.12. The issue allows unauthenticated attackers to send a specially crafted serialized PHP object through the CacheWarmer cookie, which is processed by an unsafe call to PHP’s unserialize() function.

By leveraging gadget chains present in Magento and its dependencies, attackers can achieve remote code execution, potentially gaining full control of the affected server.

“Mirasvit Full Page Cache Warmer contains a deserialization of untrusted data vulnerability that could allow unauthenticated attackers to achieve remote code execution by supplying a crafted serialized PHP object in the CacheWarmer cookie,” CISA reports.

Sansec researchers found the flaw in Mirasvit Cache Warmer, which is a popular Magento full-page cache extension. The experts pointed out that a single crafted cookie on any storefront page can lead to remote code execution.

“Sansec discovered an unauthenticated PHP object injection vulnerability in Mirasvit Cache Warmer, a full-page cache extension for Magento and Adobe Commerce. Any storefront request carrying a crafted CacheWarmer cookie reaches PHP’s native unserialize() on attacker-controlled data, with no authentication, no admin session and no config toggle required. With a suitable gadget chain, this…

Source

U.S. CISA adds Mirasvit Full Page Cache Warmer flaw to its Known Exploited Vulnerabilities catalog