CVE-2026-45247
9.8 CRITICALMirasvit Full Page Cache Warmer for Magento 2 before version 1.11.12 contains a PHP object injection vulnerability that allows unauthenti...
Published: 2026-05-26 · Last updated: 2026-06-03
Severity and scoring
- CVSS
- 9.8 CRITICAL
- Vector
- CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
- CWE
- CWE-502
Affected products
| Vendor | Product |
|---|---|
| mirasvit | full_page_cache_warmer |
Description
Mirasvit Full Page Cache Warmer for Magento 2 before version 1.11.12 contains a PHP object injection vulnerability that allows unauthenticated attackers to achieve remote code execution by supplying a crafted serialized PHP object in the CacheWarmer cookie. Attackers can exploit the unrestricted call to PHP's native unserialize() function combined with gadget chains available in Magento and its dependencies to execute arbitrary code on the server.
Source: NVD
References
- [NVD]https://nvd.nist.gov/vuln/detail/CVE-2026-45247
- [Other]https://mirasvit.com/package/changelog/?package=mirasvit/module-cache-warmer
- [Other]https://sansec.io/research/mirasvit-cache-warmer-object-injection
- [Other]https://www.vulncheck.com/advisories/mirasvit-cache-warmer-for-magento-php-object-injection
- [Other]https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-45247
- [Other]https://www.imperva.com/blog/imperva-customers-protected-against-cve-2026-45247-in-mirasvit-full-page-cache-warmer-for-magento/
Related CVEs
Same CWE
- CVE-2026-20251 — In Splunk Enterprise versions below 10.2.4, 10.0.7, 9.4.12, and 9.3.13, Splunk Cloud Platform versions below 10.3.2512.12, 10.2.2510.14, ... (8.8 HIGH)
- CVE-2026-53435 — In Jenkins 2.567 and earlier, LTS 2.555.2 and earlier, it is possible for attackers to have Jenkins deserialize arbitrary types defined i... (8.8 HIGH)
- CVE-2026-52751 — Ghidra before 12.1 contains an unsafe deserialization vulnerability in client-side Shared-Project RMI connection code that allows unauthe... (8.8 HIGH)
- CVE-2026-10721 — Concrete CMS below 9.5.2 is vulnerable to PHP Object Injection via unserialize() calls in the in Permission, Cache, and Search components
- CVE-2026-11815 — An attacker who intercepts and tampers with traffic between the client application and the API Gateway server could potentially deseriali...