CVE-2026-45247: Critical Mirasvit Cache Warmer Flaw Puts Magento Stores at Risk

CVE-2026-45247 is a critical (CVSS 9.3) PHP object injection vulnerability in Mirasvit Full Page Cache Warmer for Magento 2 that lets unauthenticated attackers run arbitrary code on a store's server. A single crafted cookie sent to any storefront page is enough to trigger it, no login required. CISA added it to the Known Exploited Vulnerabilities catalog on June 3, 2026, and a patch is available. If you run Mirasvit Cache Warmer below version 1.11.12, upgrade immediately. If you can't patch right now, disable the extension.

What is CVE-2026-45247?

CVE-2026-45247 is a PHP object injection vulnerability in Mirasvit Full Page Cache Warmer, a full-page cache extension for Magento 2 (Adobe Commerce). It's classified as CWE-502: Deserialization of Untrusted Data.

The Cache Warmer pre-populates Magento's full-page cache for different visitor states, such as currency and customer group. To render a page as a specific visitor, the extension packs session state into a cookie and reads it back on each request. The problem is that it passes part of that cookie value straight to PHP's native unserialize() function without restricting which classes can be instantiated. Because the cookie comes from the client, an attacker controls the objects PHP reconstructs. Chained with gadget classes that Magento and its dependencies already ship, that object injection escalates to remote code execution.

The extension runs on every storefront request, not just cache-warming traffic, so the vulnerable code path is reachable on ordinary public pages. Security researchers at the firm that discovered the flaw reported it to Mirasvit on May 21, 2026, and the vendor shipped a fix four days later. We're attributing the discovery to the reporting researchers rather than naming the firm, since it's a direct competitor in the e-commerce security space. (Editor note below.)

What products and versions are affected?

The vulnerability affects:

• Mirasvit Full Page Cache Warmer for Magento 2, all versions before 1.11.12

One detail makes scoping harder than usual. The Cache Warmer is bundled with several other Mirasvit packages, so many merchants run it without ever having installed it directly. If you've deployed any Mirasvit extension bundle on a Magento 2 store, you may have the vulnerable component present even if Cache Warmer isn't something you chose to add.

This affects Magento 2 deployments broadly, including both Magento Open Source and Adobe Commerce, since the two share the same underlying framework and extension ecosystem. The researchers who found the flaw reported scans turning up roughly 6,000 stores running Mirasvit extensions, and noted the real number is likely higher because CDNs hide many installations from fingerprinting.

How severe is it?

CVE-2026-45247 carries a CVSS 4.0 base score of 9.3 (Critical), with vector CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N, as assigned by the CVE's CNA. NVD also lists an equivalent CVSS 3.1 score of 9.8 (Critical) from the same source.

The severity reflects how little an attacker needs. Exploitation requires no authentication, no user interaction, and no special privileges. The attack arrives over the network as a standard HTTP cookie on a public storefront page, which is exactly the kind of request a Magento store is built to accept from anyone. A successful exploit yields arbitrary code execution on the server, which for an e-commerce host can mean full compromise: payment skimmers, persistent backdoors, and access to customer and order data.

CISA added CVE-2026-45247 to its Known Exploited Vulnerabilities (KEV) catalog on June 3, 2026, with a remediation deadline of June 6, 2026 for federal agencies under Binding Operational Directive 22-01. A three-day window signals confirmed, ongoing exploitation.

Has this been exploited in the wild?

Yes. CISA's addition of CVE-2026-45247 to the KEV catalog on June 3, 2026 is based on evidence of active exploitation. The catalog entry lists the standard remediation action: apply vendor mitigations, follow BOD 22-01 guidance, or stop using the product if no mitigation is available.

The exploitation pattern is what makes this one worth acting on quickly. The flaw needs no authentication, fires on ordinary storefront traffic, and the request signature is simple enough for attackers to automate once a patch reveals the fix. Whether or not this CVE is currently tied to ransomware is listed as unknown in the KEV entry.

Are patches available?

Yes. Mirasvit released the fix in version 1.11.12 on May 25, 2026, and is asking all customers to update. The Mirasvit changelog records the 1.11.12 entry as a fix for a PHP object injection vulnerability in session cookie deserialization.

A later release, 1.11.13 (May 27, 2026), addresses an unrelated logging issue. Upgrading to 1.11.12 or any later version closes the actively exploited vulnerability. If you're updating, going to the latest available version avoids a second patch cycle.

What should you do right now?

1. Patch immediately. Upgrade Mirasvit Full Page Cache Warmer to version 1.11.12 or later on every Magento 2 store where it's present. Remember that it may be installed as part of a bundle, so check stores even if you didn't add Cache Warmer directly.
2. Disable the extension if you can't patch right now. The vulnerable code path is in the extension itself. Disabling it removes the attack path until you can apply the update.
3. Hunt for exploitation attempts in your logs. The discovering researchers noted a clear request signature: a CacheWarmer cookie whose value matches CacheWarmer:(Tz|Qz|YT). Serialized PHP objects base64-encode to values starting with those prefixes, so a cookie matching that pattern is a strong indicator of an exploitation attempt. Search your web server and application logs for it.
4. Check for post-exploitation activity. Because this CVE delivers code execution on the server, treat any confirmed exploitation as a potential full compromise. Review web-accessible directories such as pub/ for unexpected PHP files, and look for webshells, modified files, unfamiliar admin users, new cron jobs, and unusual outbound traffic.
5. Rotate credentials on any server you believe was compromised, including database credentials, API tokens, and any secrets readable from the host.

How Halo Security can help

Before you can patch, you need to know which of your sites run Magento in the first place. Halo Security customers can use Technology Scanning to surface every Magento store across their attack surface. Our agentless discovery continuously fingerprints the technologies running on each internet-facing host we find, and the Technology list filter lets you pull up your Magento deployments in seconds. For organizations managing many storefronts, subsidiaries, or client sites, that inventory is the difference between patching with confidence and hoping you didn't miss one.

We're researching direct detection for CVE-2026-45247. In the meantime, because the vulnerable extension runs on public storefront pages, Website Scanning and continuous discovery help keep your view of internet-facing Magento assets current as new stores, staging environments, and acquired properties come online.

FAQ

We're here to help

Want to know where you run Magento across your attack surface before the next critical extension flaw lands? Halo Security's external vulnerability management platform helps you find every internet-facing asset in your environment and stay ahead of newly exploited CVEs as they're added to the KEV catalog.

New CVEs land daily. Halo Threat Intelligence scores each one's internet-facing exposure with the Surface Signal 1-5 rating so you know what to prioritize.