THE U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added the Mirasvit Full Page Cache Warmer flaw (CVE-2026-45247) to its Known Exploited Vulnerabilities catalog. This critical PHP object injection vulnerability impacts Mirasvit versions below 1.11.12 for Magento 2, allowing unauthenticated attackers to achieve remote code execution by exploiting an unsafe `unserialize()` call.
Researchers from Sansec discovered that a single specially crafted cookie can trigger remote code execution, with thousands of Magento stores potentially affected. CISA mandates that federal agencies rectify this flaw by June 6, 2026, and advises private organizations to review and address related vulnerabilities.