PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-45247 Mirasvit CVE debrief

CVE-2026-45247 documents a critical PHP object injection vulnerability in Mirasvit Full Page Cache Warmer for Magento 2, affecting versions prior to 1.11.12. The vulnerability stems from an unrestricted call to PHP's native unserialize() function on attacker-controlled input passed via the CacheWarmer cookie. Unauthenticated remote attackers can supply crafted serialized PHP objects to trigger gadget chains present in Magento and its dependencies, resulting in arbitrary code execution on the target server. The CVSS 4.0 vector indicates network attack vector with low attack complexity, no privileges required, no user interaction, and high impact to confidentiality, integrity, and availability. The vulnerability was disclosed on 2026-05-26 with NVD status currently marked as Deferred.

Vendor
Mirasvit
Product
Full Page Cache Warmer for Magento 2
CVSS
CRITICAL 9.3
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-26
Original CVE updated
2026-05-26
Advisory published
2026-05-26
Advisory updated
2026-05-26

Who should care

Organizations operating Magento 2 e-commerce platforms with Mirasvit Full Page Cache Warmer installed; security teams responsible for PHP application security; hosting providers managing shared Magento environments; e-commerce security auditors and penetration testers

Technical summary

The vulnerability exists in the Cache Warmer module's handling of the CacheWarmer cookie. The application passes user-supplied cookie data directly to PHP's unserialize() function without proper validation or sanitization. Attackers can craft malicious serialized objects that, when deserialized, invoke destructor or magic methods within available gadget chains in the Magento ecosystem. Successful exploitation yields remote code execution with the privileges of the web server process. The attack requires no authentication and can be conducted remotely with minimal complexity.

Defensive priority

CRITICAL

Recommended defensive actions

  • Upgrade Mirasvit Full Page Cache Warmer for Magento 2 to version 1.11.12 or later
  • Review web server access logs for requests containing serialized PHP object patterns in CacheWarmer cookie values
  • Implement Web Application Firewall (WAF) rules to detect and block serialized PHP object payloads in cookie parameters
  • Audit Magento installations for unauthorized plugins or modifications that may indicate prior compromise
  • Apply principle of least privilege to Magento file system permissions to limit impact of potential code execution
  • Consider implementing additional input validation layers for cookie processing in custom Magento extensions

Evidence notes

Vulnerability description sourced from official NVD record and VulnCheck disclosure. Vendor attribution to Mirasvit derived from reference domain analysis with low confidence flag requiring review. Affected product versions and patch availability confirmed through vendor changelog reference. Technical details of exploitation vector (CacheWarmer cookie, unserialize() call, gadget chain reliance) per source references. CVSS 4.0 vector and scoring from NVD metadata. CWE-502 (Deserialization of Untrusted Data) identified as primary weakness.

Official resources

2026-05-26