Back

Critical PHP Object Injection Vulnerability in Mirasvit Cache Warmer

Severity: High (Score: 78.0)

Sources: nvd.nist.gov, sansec.io

Published: 2026-06-04 · Updated: 2026-06-04

Keywords: cache, mirasvit, warmer, object, injection, page, magento

Severity indicators: CVE:CVE-2026-45247, CVE:CVE-2026-45247

Summary

Sansec identified a critical unauthenticated PHP object injection vulnerability in Mirasvit Cache Warmer for Magento, tracked as CVE-2026-45247, which allows remote code execution via a crafted CacheWarmer cookie. The flaw affects all versions prior to 1.11.12 and is rated 9.8 (critical). Mirasvit released a patch on May 25, 2026, urging users to update immediately. The vulnerability can be exploited without authentication, making it particularly dangerous as it can be triggered through ordinary storefront traffic. Approximately 6,000 stores are estimated to be running vulnerable Mirasvit extensions. Attackers can exploit this vulnerability using a gadget chain from existing Magento classes. Sansec Shield customers were protected as of April 24, 2026. The flaw was added to CISA's Known Exploited Vulnerabilities Catalog on June 3, 2026, indicating active exploitation. Key Points: • CVE-2026-45247 allows remote code execution via a crafted CacheWarmer cookie. • All versions of Mirasvit Cache Warmer prior to 1.11.12 are vulnerable. • Mirasvit released a patch on May 25, 2026, and users are urged to update immediately.

Detailed Analysis

**Impact** Approximately 6,000 Magento and Adobe Commerce storefronts running Mirasvit Cache Warmer extensions are affected, with actual numbers likely higher due to CDN obfuscation. The vulnerability allows unauthenticated remote code execution, risking full server compromise, data theft, and operational disruption. Merchants worldwide using Magento 2 and bundled Mirasvit packages are exposed, impacting e-commerce sectors reliant on these platforms. **Technical Details** The attack exploits an unauthenticated PHP object injection (CWE-502) via a crafted serialized object in the CacheWarmer cookie, triggering PHP’s native unserialize() function without class restrictions. This enables remote code execution through gadget chains present in Magento and its dependencies. The vulnerability is tracked as CVE-2026-45247, rated 9.8 (critical). Exploitation is observable by CacheWarmer cookies containing base64-encoded serialized objects starting with Tz, Qz, or YT. **Recommended Response** Apply Mirasvit Cache Warmer version 1.11.12 or later immediately to remediate the vulnerability. Deploy detection rules to identify CacheWarmer cookies with suspicious base64-encoded serialized objects matching CacheWarmer:(Tz|Qz|YT). Block known Magento attack patterns and monitor storefront traffic for exploitation signatures. Maintain vigilance for unauthenticated requests carrying crafted CacheWarmer cookies until patching is complete.

Source articles (2)

  • Mirasvit Cache Warmer Object Injection — sansec.io · 2026-06-04
    Sansec found an unauthenticated PHP object injection flaw in Mirasvit Cache Warmer, a popular Magento full-page cache extension. A single crafted cookie on any storefront page can lead to remote code…
  • CVE-2026-45247 — nvd.nist.gov · 2026-06-04
    Mirasvit Full Page Cache Warmer for Magento 2 before version 1.11.12 contains a PHP object injection vulnerability that allows unauthenticated attackers to achieve remote code execution by supplying a…

Timeline

  • 2026-05-25 — Patch released for Mirasvit Cache Warmer: Mirasvit released version 1.11.12 to address the critical PHP object injection vulnerability.
  • 2026-05-26 — CVE-2026-45247 published: The vulnerability was officially published, detailing the unauthenticated PHP object injection flaw.
  • 2026-06-03 — CVE added to CISA KEV: CISA added CVE-2026-45247 to its Known Exploited Vulnerabilities Catalog, indicating active exploitation.
  • 2026-06-04 — First public PoC released: A proof of concept for exploiting CVE-2026-45247 was made publicly available, increasing the risk of attacks.

CVEs

  • CVE-2026-45247

Related entities

  • Zero-day Exploit (Attack Type)
  • Cwe-502 - Deserialization Of Untrusted Data (Cwe)
  • T1190 - Exploit Public-Facing Application (Mitre Attack)
  • Adobe Commerce (Platform)
  • Magento (Platform)
  • PHP (Platform)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed