Mirasvit Mirasvit Full Page Cache Warmer
Mirasvit Mirasvit Full Page Cache Warmer is affected by a critical-severity vulnerability (CVE-2026-45247) that is confirmed to be actively exploited in the wild. Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
What is this vulnerability?
Mirasvit Full Page Cache Warmer for Magento 2 before version 1.11.12 contains a PHP object injection vulnerability that allows unauthenticated attackers to achieve remote code execution by supplying a crafted serialized PHP object in the CacheWarmer cookie. Attackers can exploit the unrestricted call to PHP's native unserialize() function combined with gadget chains available in Magento and its dependencies to execute arbitrary code on the server.
How it works
This is classified as Deserialization of Untrusted Data. In plain terms, an attacker could use this flaw in Mirasvit Full Page Cache Warmer to gain access, disrupt service, or steal data — the exact impact depends on how it’s deployed in your environment.
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Mitigations
- Apply the vendor’s security patch or update as soon as it’s available and tested.
- If no patch exists yet, apply the vendor’s temporary workaround.
- Limit network exposure of the affected system until it’s patched.
- Review logs for signs of prior exploitation, especially if it’s flagged for ransomware use.
Recommendations
- Confirm whether Mirasvit Mirasvit Full Page Cache Warmer is used anywhere in your environment.
- Patch internet-facing systems first, then internal ones.
- Set a reminder ahead of the remediation deadline so it doesn’t slip.
- Subscribe to the vendor’s security advisories for earlier warning next time.
Compiled from public threat intelligence (CISA Known Exploited Vulnerabilities catalog and the National Vulnerability Database, referenced in 5 public advisories).