THE US cybersecurity agency CISA has issued a warning to federal agencies to promptly patch a significant vulnerability (CVE-2026-45247) in the Mirasvit Full Page Cache Warmer for Magento 2 extension, which has been exploited for remote code execution (RCE). This vulnerability, with a high CVSS score of 9.8, allows attackers to execute arbitrary code remotely without authentication by injecting crafted serialized PHP objects.
Thousands of Magento and Adobe Commerce stores using versions prior to 1.11.12 are at risk. Following public disclosure on May 26, the vulnerability has begun to be actively exploited. CISA has added it to its Known Exploited Vulnerabilities catalog, urging patches within three days for federal agencies, while also advising all organizations to upgrade to a secure version.