A PHP object injection in Mirasvit Cache Warmer (CVE-2026-45247) enables unauthenticated remote code execution on Magento 2 and Adobe Commerce systems and is already being actively exploited.