CVE-2026-45247
PHP Object Injection in Mirasvit Full Page Cache Warmer for Magento 2
Publication date: 2026-05-26
Last updated on: 2026-05-26
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| mirasvit | full_page_cache_warmer | to 1.11.12 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-502 | The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-45247 is a PHP object injection vulnerability in the Mirasvit Full Page Cache Warmer extension for Magento 2 versions before 1.11.12. It occurs because the extension unserializes attacker-controlled data from a cookie named CacheWarmer without proper validation. This allows unauthenticated attackers to supply a crafted serialized PHP object that, when deserialized, can trigger malicious code execution on the server.
The vulnerability exploits the unrestricted use of PHP's native unserialize() function combined with gadget chains available in Magento and its dependencies, enabling remote code execution without requiring any authentication or admin access.
How can this vulnerability impact me? :
This vulnerability can have severe impacts as it allows attackers to execute arbitrary code remotely on the affected server. Since no authentication is required, attackers can exploit this flaw simply by sending a specially crafted cookie to any storefront page.
- Remote code execution on the server hosting the Magento store.
- Potential full compromise of the affected system, including unauthorized access to data and control over server operations.
- Possibility of deploying malware, defacing websites, stealing sensitive customer information, or disrupting business operations.
Because the vulnerability is easily exploitable and automated exploit signatures can be created, it poses an urgent security risk to merchants using vulnerable versions.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for HTTP requests containing a specially crafted CacheWarmer cookie with serialized PHP objects. Such cookies often include base64-encoded strings starting with markers like Tz, Qz, or YT.
To detect potential exploitation attempts on your network or system, you can inspect incoming HTTP requests for suspicious CacheWarmer cookies that contain these base64-encoded serialized objects.
- Use network monitoring tools or web server logs to search for requests with the CacheWarmer cookie.
- Example command to search web server logs for suspicious CacheWarmer cookies (assuming Apache logs):
- grep 'CacheWarmer=' /var/log/apache2/access.log | grep -E 'Tz|Qz|YT'
- Use tools like tcpdump or Wireshark to capture HTTP traffic and filter for requests containing the CacheWarmer cookie.
- Deploy specialized scanning tools such as eComscan to detect signs of compromise related to this vulnerability.
What immediate steps should I take to mitigate this vulnerability?
The most immediate and effective mitigation is to update the Mirasvit Full Page Cache Warmer extension to version 1.11.12 or later, which contains the patch for this vulnerability.
Additional immediate steps include deploying real-time protection solutions such as Sansec Shield to block exploitation attempts and scanning your system for signs of compromise.
- Update the Mirasvit Cache Warmer extension to version 1.11.12 or later.
- Deploy real-time protection tools like Sansec Shield.
- Use scanning tools such as eComscan to detect any compromise.
- Review web-accessible directories for unauthorized PHP files or other suspicious artifacts.