A critical unauthenticated remote code execution vulnerability has been publicly disclosed in Mirasvit Full Page Cache Warmer, a widely deployed Magento 2 extension used by thousands of e-commerce merchants globally.
Tracked as CVE-2026-45247 and carrying a CVSS v3.1 score of 9.8, the flaw requires no authentication, no admin session, and no special server configuration to exploit making it one of the most dangerous Magento vulnerabilities disclosed in 2026.
According to Sansec, Mirasvit Full Page Cache Warmer pre-populates a store’s full-page cache by simulating different visitor states, currency, customer group, language, and other session-specific settings.
To accomplish this, the extension packs session state data into a CacheWarmer cookie and sends it with each crawl request. A server-side plugin reads this cookie and adjusts the session before rendering the page.
The critical design flaw is that this plugin executes on every storefront request, not just internal warmer traffic. This exposes the vulnerable code path to any internet-connected attacker without restriction, Sansec said.
At the technical core of CVE-2026-45247 is PHP’s native unserialize() function. The extension passes part of the CacheWarmer cookie value directly into unserialize() with no class restrictions and no authentication gate.
Because the cookie value is entirely attacker-controlled, this constitutes a classic PHP Object Injection flaw, classified under CWE-502.
An attacker simply crafts a serialized PHP object embedding a malicious payload, injects it into the CacheWarmer cookie, and sends a standard HTTP request to any store page triggering arbitrary code execution on the server.
All Mirasvit Cache Warmer versions prior to 1.11.12 are vulnerable. The extension is also bundled in several broader Mirasvit packages, meaning thousands of merchants may be running it without having installed it directly.
Sansec’s scans identified approximately 6,000 stores running Mirasvit extensions, with the actual number likely far higher since CDNs like Cloudflare obscure many installs from fingerprinting tools.
Timeline
| Date | Event |
|---|---|
| April 24, 2026 | Sansec discovers the flaw; virtual patch deployed for Shield customers |
| May 21, 2026 | Mirasvit notified via coordinated disclosure |
| May 25, 2026 | Patched version 1.11.12 released by Mirasvit |
| May 26, 2026 | CVE-2026-45247 formally assigned and publicly disclosed |
| May 28, 2026 | Imperva and additional vendors confirm WAF protections |
Since serialized PHP objects base64-encode to values beginning with Tz, Qz, or YT, any cookie matching the pattern CacheWarmer:(Tz|Qz|YT) is a strong indicator of an active exploitation attempt.
Security teams should review server logs for unusual activity during the disclosure window and audit for unexpected admin accounts or configuration changes.
Mitigation Steps
- Update immediately — Upgrade to Mirasvit Cache Warmer version 1.11.12 or later
- Deploy WAF protection — Block crafted
CacheWarmercookie patterns via Sansec Shield, Imperva, or a comparable WAF solution - Scan for malware — Use eComscan or equivalent tooling to detect webshells, backdoors, or injected payment skimmers
- Audit web directories — Review
pub/and other web-accessible folders for unexpected PHP files
With zero authentication required and ordinary storefront HTTP traffic serving as the attack vector, unpatched Magento and Adobe Commerce stores remain critically exposed to automated exploitation at scale. Merchants are strongly urged to apply the patch immediately.
No Comment! Be the first one.