{"id":264252,"date":"2026-06-04T13:26:00","date_gmt":"2026-06-04T17:26:00","guid":{"rendered":"https:\/\/news-you-need.com\/index.php\/2026\/06\/04\/u-s-cisa-adds-mirasvit-full-page-cache-warmer-flaw-to-its-known-exploited-vulnerabilities-catalog\/"},"modified":"2026-06-04T14:55:12","modified_gmt":"2026-06-04T18:55:12","slug":"u-s-cisa-adds-mirasvit-full-page-cache-warmer-flaw-to-its-known-exploited-vulnerabilities-catalog","status":"publish","type":"post","link":"https:\/\/news-you-need.com\/index.php\/2026\/06\/04\/u-s-cisa-adds-mirasvit-full-page-cache-warmer-flaw-to-its-known-exploited-vulnerabilities-catalog\/","title":{"rendered":"U.S. CISA adds Mirasvit Full Page Cache Warmer flaw to its Known Exploited Vulnerabilities catalog"},"content":{"rendered":"

U.S. CISA adds Mirasvit Full Page Cache Warmer flaw to its Known Exploited Vulnerabilities catalog<\/a><\/p>\n

https:\/\/securityaffairs.com\/193156\/security\/u-s-cisa-adds-mirasvit-full-page-cache-warmer-flaw-to-its-known-exploited-vulnerabilities-catalog.html<\/a><\/p>\n

Publish Date: 2026-06-04 13:26:00<\/a><\/p>\n

Source Domain: securityaffairs.com<\/a><\/p>\n

U.S. CISA adds Mirasvit Full Page Cache Warmer flaw to its Known Exploited Vulnerabilities catalog<\/h2>\n<\/p>\n

\t\t\t\t\t\t\t Pierluigi Paganini<\/span>
\n\t\t\t\t\t\t\t\"\"\/ June 04, 2026<\/span><\/p>\n

\t\t\t\t\t\t\"\"\/<\/p>\n

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds Mirasvit Full Page Cache Warmer flaw to its Known Exploited Vulnerabilities catalog.<\/h2>\n

The U.S. Cybersecurity and Infrastructure Security Agency (CISA)\u00a0added Mirasvit Full Page Cache Warmer flaw, tracked as CVE-2026-45247 (CVSS ver 4.0 score of 9.3), to its Known Exploited Vulnerabilities (KEV) catalog.<\/p>\n

The CVE-2026-45247 flaw is a critical PHP object injection vulnerability affecting Mirasvit Full Page Cache Warmer for Magento 2 before version 1.11.12. The issue allows unauthenticated attackers to send a specially crafted serialized PHP object through the CacheWarmer cookie, which is processed by an unsafe call to PHP\u2019s unserialize() function. <\/p>\n

By leveraging gadget chains present in Magento and its dependencies, attackers can achieve remote code execution, potentially gaining full control of the affected server.<\/p>\n

\u201cMirasvit Full Page Cache Warmer contains a deserialization of untrusted data vulnerability that could allow unauthenticated attackers to achieve remote code execution by supplying a crafted serialized PHP object in the CacheWarmer cookie,\u201d CISA\u00a0reports.<\/p>\n

Sansec researchers found the flaw in Mirasvit Cache Warmer, which is a popular Magento full-page cache extension. The experts pointed out that a single crafted cookie on any storefront page can lead to remote code execution. <\/p>\n

\u201cSansec discovered an unauthenticated PHP object injection vulnerability in Mirasvit Cache Warmer, a full-page cache extension for Magento and Adobe Commerce. Any storefront request carrying a crafted\u00a0CacheWarmer\u00a0cookie reaches PHP\u2019s native\u00a0unserialize()\u00a0on attacker-controlled data, with no authentication, no admin session and no config toggle required. With a suitable gadget chain, this…<\/p>\n

Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

U.S. CISA adds Mirasvit Full Page Cache Warmer flaw to its Known Exploited Vulnerabilities catalog…<\/p>\n","protected":false},"author":1,"featured_media":264253,"comment_status":"closed","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/securityaffairs.com\/wp-content\/uploads\/2020\/07\/CISA.jpeg","fifu_image_alt":"","footnotes":""},"categories":[15],"tags":[24,27],"class_list":["post-264252","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cybersecurity","tag-cybersecurity","tag-vulnerability"],"_links":{"self":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/264252"}],"collection":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/comments?post=264252"}],"version-history":[{"count":1,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/264252\/revisions"}],"predecessor-version":[{"id":264254,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/264252\/revisions\/264254"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/media\/264253"}],"wp:attachment":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/media?parent=264252"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/categories?post=264252"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/tags?post=264252"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}