Bottom line: A PHP object injection in Mirasvit Cache Warmer (CVE-2026-45247) enables unauthenticated remote code execution on Magento 2 and Adobe Commerce systems and is already being actively exploited.
A PHP object injection in the Mirasvit extension Full Page Cache Warmer for Magento 2 and Adobe Commerce (CVE-2026-45247, CVSS 9.8) is already being exploited by attackers to execute code remotely on e-commerce servers. CISA has added the vulnerability to its list of actively exploited vulnerabilities.
The US cybersecurity agency CISA warned on May 26, 2026 of the critical vulnerability CVE-2026-45247 in the Mirasvit extension Full Page Cache Warmer. The vulnerability affects Magento 2 and Adobe Commerce systems and was rated with a CVSS score of 9.8. According to security firm Imperva, attackers began active exploitation immediately after public disclosure.
The vulnerability is based on insufficient validation during deserialization of PHP objects. Attackers inject manipulated, serialized PHP objects via the CacheWarmer cookie. The system processes this data without restriction to permitted classes. Combined with gadget chains from already installed Magento code, the object injection (CWE-502) leads to remote code execution. Unauthenticated attackers gain the ability to execute arbitrary code directly on the web servers.
All installations of the Mirasvit extension in versions prior to 1.11.12 are affected. According to Sansec, the extension runs on thousands of e-commerce platforms. CISA has instructed US federal agencies to update affected systems within three days.
Administrators can identify suspicious activity in server logs by checking storefront requests for the CacheWarmer cookie. A cookie value matching the pattern CacheWarmer:(Tz|Qz|YT) indicates an exploitation attempt. This is because serialized PHP objects are encoded in Base64 with these prefixes.
Immediate update to version 1.11.12 or later is strongly recommended, as this version implements protective mechanisms against object injection.
Source: www.it-daily.net · Published June 10, 2026
Lumi AI News — AI-assisted curation in accordance with Art. 50 EU AI Act. Paraphrase and classification by Lumi News Pipeline v1.6.5.