CVE-2026-45247

Published May 26, 2026

Last updated 15 days ago

Exploit knownCVSS critical 9.3
Magento
Server
Mirasvit Full Page Cache Warmer
Magento 2

Overview

Description
Mirasvit Full Page Cache Warmer for Magento 2 before version 1.11.12 contains a PHP object injection vulnerability that allows unauthenticated attackers to achieve remote code execution by supplying a crafted serialized PHP object in the CacheWarmer cookie. Attackers can exploit the unrestricted call to PHP's native unserialize() function combined with gadget chains available in Magento and its dependencies to execute arbitrary code on the server.
Source
disclosure@vulncheck.com
NVD status
Analyzed
Products
full_page_cache_warmer

Risk scores

CVSS 4.0

Type
Secondary
Base score
9.3
Impact score
-
Exploitability score
-
Vector string
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Severity
CRITICAL

CVSS 3.1

Type
Secondary
Base score
9.8
Impact score
5.9
Exploitability score
3.9
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Severity
CRITICAL

Known exploits

Data from CISA

Vulnerability name
Mirasvit Full Page Cache Warmer Deserialization of Untrusted Data Vulnerability
Exploit added on
Jun 3, 2026
Exploit action due
Jun 6, 2026
Required action
Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Weaknesses

disclosure@vulncheck.com
CWE-502

Social media

Hype score
Not currently trending

  1. 🛡️ CVE-2026-45247: Deserialización en Mirasvit Full Page Cache Warmer permite RCE no autenticado Análisis técnico del CVE-2026-45247 en Mirasvit Full Page Cache Warmer: deserialización PHP insegura que permite RCE sin autenticación. Mitigaciones incluidas. https://t.co/

    @CiberPlanetaOrg

    18 Jun 2026

    61 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  2. 00:00 UTC: CVE-2026-45247 disclosed. CISA: CVE-2026-45247 added to Known Exploited Vulnerabilities — Mirasvit Mirasvit Full Page Cache Warmer CVE-2026-45247 added to CISA KEV: Mirasvit Mirasvit Full Page Cache Warmer

    @lyrie_ai

    10 Jun 2026

    30 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  3. CVE-2026-45247: 🚨 Attackers are actively exploiting CVE-2026-45247, a critical Magento RCE flaw in Mirasvit Cache Warmer. CISA added it to KEV. The bug scores 9.8 CVSS and allows unauthenticated PHP code execution via crafted CacheWarmer cookies. Patch before June 6.…

    @lyrie_ai

    9 Jun 2026

    29 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  4. Legacy exposure keeps paying off for attackers. CVE-2026-45247: Mirasvit Cache Warmer RCE Threatens Magen… CVE-2026-45247 is an actively exploited Mirasvit Cache Warmer flaw that can let unauthentic… 🔗 Read → https://t.co/Qk3vCxHjSU

    @fynn_JourX

    8 Jun 2026

    59 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  5. For defenders, cve-2026-45247: mirasvit cache warmer rce threatens magento sto… should move fast. CVE-2026-45247 is an actively exploited Mirasvit Cache Warmer flaw that can let unauthentic… 🔗 Details → https://t.co/fh3037JVvP

    @SocXAInvaders

    8 Jun 2026

    2 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  6. 🛑 CVE-2026-45247: Mirasvit Cache Warmer RCE Threatens Magento Stores CVE-2026-45247 is an actively exploited Mirasvit Cache Warmer flaw that can let unauthentic… 🔗 Details → https://t.co/tsdSkfbAoK

    @lucasverdan

    8 Jun 2026

    46 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  7. Intel Report [CRITICAL] - On June 3, 2026, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2026-45247 to its Known Exploited Vulnerabilities (KEV) catalog following confirmed active exploitation in the wild. The... https://t.co/IXGB4dTRuh

    @EnigmaGlobalSW

    6 Jun 2026

    26 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  8. Critical RCE vulnerability (CVE-2026-45247) in Magento's Mirasvit Cache Warmer extension actively exploited. Immediate update to version 1.11.12 recommended. Link: https://t.co/Ia2G5ywP8g #Magento #Mirasvit #RCE #Vulnerability #Exploit #Security #Cyberattack #Patch #Update https:

    @dailytechonx

    5 Jun 2026

    73 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  9. Top 5 Trending CVEs: 1 - CVE-2026-45247 2 - CVE-2026-27914 3 - CVE-2017-11882 4 - CVE-2026-45495 5 - CVE-2026-0826 #cve #cvetrends #cveshield #cybersecurity https://t.co/4Fua3CAN6W

    @CVEShield

    5 Jun 2026

    72 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  10. CVE-2026-45247 Mirasvit e CVE-2026-23479 Redis: aggiornamento CISA KEV e RCE Vulnerabilità, cisa, Redis https://t.co/KDB1NYPMRn https://t.co/qx3QSMk8qW

    @matricedigitale

    4 Jun 2026

    47 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  11. 🔬 CISA Adds Exploited Magento RCE Flaw CVE-2026-45247 to KEV Catalog Critical CVE / Exploit: The U.S. Cybersecurity and Infrastructure Security Agency (C... https://t.co/57KsYefn8v #CVE #CyberSecurity #SecurityAlert #TechNews

    @MyDooM15

    4 Jun 2026

    3 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  12. Unauthenticated RCE in Mirasvit Cache Warmer for Magento 2. CVE-2026-45247 (CVSS 9.3) lets attackers exploit PHP object injection with zero privileges. Update to v1.11.12 now. #Magento #Security https://t.co/FsQ4BfgfT0 https://t.co/H51n1Jl1V4

    @SecAlertsCo

    31 May 2026

    89 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  13. #Imperva Customers #Protected Against CVE-2026-45247 in #Mirasvit #Full_Page_Cache Warmer for #Magento https://t.co/h0qmrWqDm9 https://t.co/FVE9RZVAF4

    @omvapt

    30 May 2026

    33 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  14. 🚨 CVE-2026-45247 — CVSS 9.8/10 ██████████ Mirasvit Full Page Cache Warmer for Magento 2 before version 1.11.12 contains a PHP object injection vulnerability that... Severity: CRITICAL Patch now. #cybersecurity #CVE https://t.co/jyam8S6TLa

    @OrizonCyber

    26 May 2026

    77 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

Configurations

Related CVEs

  1. LiteSpeed cPanel Plugin UNIX Symbolic Link (Symlink) Following VulnerabilityCVE-2026-54420
  2. Check Point Security Gateway Improper Authentication VulnerabilityCVE-2026-50751
  3. A path traversal vulnerability exists in the Altium Enterprise Server Vault Service UploadController due to improper validation of a user-controlled path component in image upload requests. An authenticated user can supply a crafted absolute path so that the configured storage root is discarded, allowing arbitrary files to be written to any location on the server filesystem writable by the service account. Because content-controlled files can be written to web-accessible directories, or used to overwrite application binaries or configuration files, this can be escalated to remote code execution, service takeover, or denial of service. Altium 365 cloud deployments are not affected, as the affected endpoint is not reachable and the cloud storage architecture mitigates the file-write primitive.CVE-2026-11419
  4. A hard-coded cryptographic key is used by Altium Enterprise Server to sign file download URLs in the Vault service. Because the key is identical across all installations, an unauthenticated network attacker who can reach the server can forge valid download signatures and retrieve files from the Vault storage area without any authentication, session, or credentials. A separate path traversal vulnerability in the same download endpoint allows the configured storage root to be escaped, enabling reads of arbitrary files on the server filesystem. Combined, these issues allow an unauthenticated attacker to obtain sensitive server configuration and key material, which can lead to full server compromise. The vulnerability can be chained with CVE-2026-9152 to enumerate and bulk-download stored content. Altium 365 cloud deployments are not impacted in practice, as file storage uses object storage rather than the local filesystem.CVE-2026-11414
  5. A malicious actor with access to the network could exploit a Path Traversal vulnerability found in UniFi OS devices to access files on the underlying system that could be manipulated to access an underlying account.CVE-2026-34909

References

Sources include official advisories and independent security research.