Vulnerability intelligence
CVE-2026-45247
Mirasvit Full Page Cache Warmer for Magento 2 before version 1.11.12 contains a PHP object injection vulnerability that allows unauthenticated attackers to achieve remote code execution by supplying a crafted serialized PHP object in the CacheWarmer cookie. Attackers can exploit the unrestricted call to PHP's native unserialize() function combined with gadget chains available in Magento and its dependencies to execute arbitrary code on the server.
CVSS Score
9.8
Critical
EPSS — Exploit Probability
6.1%
Riskier than 91% of all CVEs
Exploitation
Confirmed in the wild
KEV since 2026-06-03
Remediation
Patch available
Federal deadline 2026-06-06
6 articles across 6 outlets · first covered Jun 1, 2026 · latest Jun 4, 2026
Tracked incidents
Coverage timeline
-
CISA adds Magento cache flaw CVE-2026-45247 to KEV cataloguesecurityaffairs.com · Jun 4, 2026
-
CISA warns federal agencies to patch critical Magento cache flawwww.securityweek.com · Jun 4, 2026
-
CISA urges patching of exploited Magento RCE flaw CVE-2026-45247thehackernews.com · Jun 4, 2026
-
CISA flags Mirasvit cache flaw CVE-2026-45247 as exploited.www.cisa.gov · Jun 4, 2026
-
Critical RCE Flaws Fixed in Mautic Marketing Platformsecurityonline.info · Jun 4, 2026
-
CISA warns of exploits in Magento cache extension CVE-2026-45247cisa.gov · Jun 3, 2026