Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
9.3
CVE-2026-45247: Mirasvit Full Page Cache Warmer for Magento 2 Remote Code Execution
CVE-2026-45247
Summary
An outdated version of the Mirasvit Full Page Cache Warmer for Magento 2 makes it possible for attackers to execute malicious code on the server without needing a password. This is a significant risk because it could allow hackers to access sensitive data or take control of the website. To protect against this, update the Mirasvit Full Page Cache Warmer to version 1.11.12 or later.
Original title
Mirasvit Full Page Cache Warmer for Magento 2 before version 1.11.12 contains a PHP object injection vulnerability that allows unauthenticated attackers to achieve remote code execution by supplyin...
Original description
Mirasvit Full Page Cache Warmer for Magento 2 before version 1.11.12 contains a PHP object injection vulnerability that allows unauthenticated attackers to achieve remote code execution by supplying a crafted serialized PHP object in the CacheWarmer cookie. Attackers can exploit the unrestricted call to PHP's native unserialize() function combined with gadget chains available in Magento and its dependencies to execute arbitrary code on the server.
nvd CVSS3.1
9.8
nvd CVSS4.0
9.3
Vulnerability type
CWE-502
Deserialization of Untrusted Data
Published: 26 May 2026 · Updated: 28 May 2026 · First seen: 26 May 2026