Mirasvit Cache Warmer for Magento < 1.11.12 PHP Object Injection

Description

Mirasvit Full Page Cache Warmer for Magento 2 before version 1.11.12 contains a PHP object injection vulnerability that allows unauthenticated attackers to achieve remote code execution by supplying a crafted serialized PHP object in the CacheWarmer cookie. Attackers can exploit the unrestricted call to PHP's native unserialize() function combined with gadget chains available in Magento and its dependencies to execute arbitrary code on the server.

Affected Products

Vendor	Product	Versions
mirasvit	full page cache warmer for magento	0

References

https://sansec.io/research/mirasvit-cache-warmer-object-injection(technical-description)
https://mirasvit.com/package/changelog/?package=mirasvit/module-cache-warmer(release-notes, patch)
https://www.vulncheck.com/advisories/mirasvit-cache-warmer-for-magento-php-object-injection(third-party-advisory)

Related News (3 articles)

Tier D

SecurityWeek4h ago

Mirasvit Vulnerability Exploited to Execute Code on Magento Servers

→ No new info (linked only)

Tier D

The Hacker News9h ago

CISA Adds Exploited Magento RCE Flaw CVE-2026-45247 to KEV Catalog

→ No new info (linked only)

Tier C

VulDB9d ago

CVE-2026-45247 | Mirasvit Full Page Cache Warmer for Magento 2 up to 1.11.11 on Magento unserialize deserialization

→ No new info (linked only)

CVSS 3.19.8 NONE

CISA KEV✅ Yes

Actively exploited✅ Yes

Patch available

1.11.12

CWECWE-502

PublishedMay 26, 2026

Last enriched9d agov2

Trending Score132🔥

Source articles3

Independent3

Info Completeness8/14

Missing: cvss, epss, kev, exploit, iocs, mitre_attack

Community Vote

0 upvotes0 downvotes

Mirasvit Cache Warmer for Magento < 1.11.12 PHP Object Injection

Description

Affected Products

References

Related News (3 articles)

Community Vote

Pin to Dashboard

Verification

Vulnerability Timeline

Version History