PHP Object Injection Vulnerability in Mirasvit Full Page Cache Warmer for Magento 2
CVE-2026-45247

9.3CRITICAL

Key Information:

Vendor

Mirasvit

Status
Full Page Cache Warmer For Magento 2
Vendor
CVE Published:
26 May 2026

What is CVE-2026-45247?

The Mirasvit Full Page Cache Warmer, specifically for Magento 2, is susceptible to a PHP object injection flaw that permits unauthenticated attackers to execute arbitrary code. This vulnerability arises from an unrestricted invocation of PHP's native unserialize() function when handling malformed serialized PHP objects in the CacheWarmer cookie. By exploiting this flaw, attackers can leverage existing gadget chains within Magento and its libraries, thereby gaining remote control over the affected system. Prompt updates to version 1.11.12 or later are essential to mitigate this security risk.

Affected Version(s)

Full Page Cache Warmer for Magento 2 0

References

https://sansec.io/research/mirasvit-cache-warmer-object-i...
technical-description
https://mirasvit.com/package/changelog/?package=mirasvit/...
release-notespatch
https://www.vulncheck.com/advisories/mirasvit-cache-warme...
third-party-advisory

CVSS V4

Score:
9.3
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Sansec
.