ON 3 June 2026, the Cybersecurity and Infrastructure Security Agency (CISA) added CVE‑2026‑45247 to its Known Exploited Vulnerabilities (KEV) catalogue. The entry concerns Mirasvit Full Page Cache Warmer, a Magento extension used on Adobe Commerce platforms, and covers the Mirasvit Full Page Cache Warmer Deserialization of Untrusted Data Vulnerability. This flaw allows unauthenticated attackers to achieve remote code execution by supplying a crafted serialized PHP object in the CacheWarmer cookie.
The vulnerability is a deserialisation of untrusted data issue in PHP, enabling remote code execution without authentication. It carries a CVSS v3.1 base score of 9.8, rated Critical. The flaw is triggered via the CacheWarmer HTTP cookie, which is processed by the extension without proper validation, allowing an attacker to inject malicious serialized payloads. A patch is available from the vendor.
CISA’s inclusion in the KEV catalogue indicates that active exploitation of CVE‑2026‑45247 has been observed in the wild. No known ransomware campaign has been linked to this vulnerability to date. Federal agencies must apply the required mitigation by the remediation deadline of 6 June 2026.
CISA directs all Federal Civilian Executive Branch (FCEB) agencies to: apply mitigations per vendor instructions, follow applicable BOD 22‑01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable. While the binding deadline applies to FCEB entities, CISA advises all organisations to review their exposure to Mirasvit Full Page Cache Warmer and implement the same mitigations where relevant.
For full details, see the NVD entry at https://nvd.nist.gov/vuln/detail/CVE-2026-45247 and the CISA KEV catalogue.