ON 3 June 2026 the Cybersecurity and Infrastructure Security Agency added the Mirasvit Full Page Cache Warmer flaw tracked as CVE‑2026‑45247 to its Known Exploited Vulnerabilities catalogue, warning that unauthenticated attackers can achieve remote code execution on Magento 2 stores via a malicious cookie CISA alert.
The vulnerability carries a CVSS v3.1 base score of 9.8 and stems from an unsafe unserialize() call in the CacheWarmer cookie processing routine, allowing an attacker to inject a crafted serialized PHP object and execute arbitrary code without authentication SecurityAffairs reports. It affects Mirasvit Full Page Cache Warmer versions prior to 1.11.12 for Magento 2 and Adobe Commerce platforms.
Researchers at Sansec disclosed the issue on 26 May and showed that a single specially crafted cookie value can trigger the deserialization flaw, with thousands of Magento stores potentially exposed; public disclosure was followed by active exploitation in the wild, although no specific threat actors have been identified to date The Hacker News notes.
CISA’s inclusion of CVE‑2026‑45247 in the KEV catalogue requires federal civilian agencies to apply the patch by 6 June 2026 and advises all organisations to prioritise mitigation, noting that the flaw is being actively exploited and poses a significant risk to e-commerce environments CISA KEV entry.
Administrators should upgrade the Mirasvit Full Page Cache Warmer extension to version 1.11.12 or later, review any custom code that handles the CacheWarmer cookie, and consider disabling the extension if it is not required; monitoring web server logs for unexpected unserialize attempts and deploying a web application firewall rule to block anomalous cookie values can also help detect and block attack attempts SecurityWeek advises.
Keeping an up-to-date inventory of Magento subsystems, subscribing to CISA KEV notifications for future alerts and ensuring incident response playbooks cover deserialisation-based remote code execution will improve resilience against similar threats.