CVE-2026-45247: PHP Object Injection in Mirasvit Full Page Cache Warmer for Magento 2 - What It Means for Your Business and How to Respond
E-commerce platforms power much of your online revenue, and a single overlooked extension can expose your entire operation to attackers. CVE-2026-45247 represents one such high-severity risk: a critical vulnerability in a popular Magento 2 caching extension that enables remote code execution without requiring any login credentials.
If you operate an online store built on Magento or Adobe Commerce, especially one using performance-enhancing extensions, this issue demands immediate attention. This post explains the vulnerability in business terms, outlines potential impacts, and provides clear steps to determine if you are affected and how to protect your operations. For technical teams, a detailed appendix follows.
Security researchers at Sansec disclosed CVE-2026-45247 on May 26, 2026. The flaw affects Mirasvit Full Page Cache Warmer, a widely used extension for Magento 2 and Adobe Commerce that accelerates page loading by warming the cache.
Mirasvit released a patched version (1.11.12) on May 25, 2026, just before public disclosure. The vulnerability carries a CVSS score of 9.8, classifying it as critical. It stems from unsafe handling of user-supplied data in a cookie, allowing attackers to inject malicious objects that lead to arbitrary code execution on the server.
CISA added the CVE to its Known Exploited Vulnerabilities catalog shortly after reports of active exploitation emerged in the wild. This rapid inclusion underscores the urgency for businesses relying on Magento-based stores, as attackers have already begun targeting vulnerable instances.
The timeline highlights the speed at which modern threats evolve: notification to the vendor on May 21, patch release on May 25, disclosure and CVE assignment the next day, followed by confirmed exploitation and government cataloging within days.
A successful attack via this vulnerability can grant attackers full control over your web server. For an e-commerce business, this translates to immediate operational disruption, potential data theft, and long-term reputational damage.
Attackers could alter product pages, inject malicious scripts, or extract customer information including names, addresses, payment details, and order histories. In regulated sectors, this could trigger mandatory breach notifications under laws such as CCPA or state equivalents, leading to fines and legal costs.
Your revenue stream faces direct risk. Downtime during peak shopping periods or defaced storefronts erodes customer trust and drives sales to competitors. Even brief interruptions in order processing or inventory synchronization can result in lost transactions and fulfillment delays.
Compliance obligations become more complex. If you handle payment card data, an exploited system may violate PCI DSS requirements, prompting audits or higher processing fees. Smaller businesses with limited IT resources often suffer the most, as recovery can consume weeks of engineering time and significant unplanned expenses.
The unauthenticated nature of the flaw means anyone with knowledge of your store's URL can attempt exploitation. With active exploitation already underway, delaying action increases the likelihood of compromise.
E-commerce Retailer Under Attack: A regional apparel retailer operating a Magento store experienced unauthorized changes to pricing and product descriptions during a sales event. Customer orders placed after the compromise included fraudulent shipping details, resulting in thousands in chargebacks and eroded brand confidence.
Mid-Sized B2B Supplier: An industrial parts distributor using the affected extension suffered data exfiltration of client contact lists and pricing agreements. Competitors received the stolen information, undermining negotiated contracts and forcing emergency renegotiations with key accounts.
Online Marketplace Operator: A platform connecting small vendors to buyers faced server-level compromise that injected malware into checkout flows. Several customers reported unauthorized transactions, triggering payment processor investigations and temporary suspension of services.
Healthcare Product Store: A supplier of medical supplies to clinics had patient order histories exposed, raising HIPAA-related concerns despite operating primarily in a B2B capacity. The incident required extensive forensic investigation and customer communications, diverting resources from core operations.
If you answered yes to any of these, immediate verification and patching are recommended.
Protect your Magento store and broader digital infrastructure by scheduling a comprehensive penetration test with IntegSec. Our team identifies vulnerabilities like CVE-2026-45247 before attackers do, delivering actionable insights that reduce risk and support business continuity. Visit https://integsec.com today to learn how targeted testing can safeguard your operations.
TECHNICAL APPENDIX (security engineers, pentesters, IT professionals only)
The root cause lies in unsafe deserialization of data from the CacheWarmer cookie within the Mirasvit Full Page Cache Warmer extension. The component processes user-controlled input via PHP's unserialize() function without sufficient validation or whitelisting of allowed classes.
Attack vector is network-based (remote), with low complexity. No privileges or user interaction are required. The CVSS v3.1 vector is AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, yielding the 9.8 score. This aligns with CWE-502: Deserialization of Untrusted Data.
NVD and related advisories detail gadget chains that enable arbitrary PHP code execution, often leading to full server compromise. Public exploit details have circulated following disclosure.
Check the installed extension version by reviewing composer.json or the module's configuration files, or navigate to the Magento admin panel under Stores > Configuration if accessible.
Use commands such as:
bin/magento module:status | grep Mirasvit_CacheWarmer
or inspect /vendor/mirasvit/module-cache-warmer/etc/module.xml for version information.
Vulnerability scanners may detect signatures related to the CacheWarmer cookie handling. Look for anomalous requests containing long base64-like strings or serialized PHP objects (starting with "O:" or "a:") in web server access logs targeting paths that interact with cache warming functionality.
Behavioral indicators include unexpected PHP process activity, new files in web directories, or outbound connections from the server. Network monitoring may reveal exploitation attempts with crafted cookie payloads.
For environments unable to patch immediately, web application firewall rules targeting the vulnerable cookie or virtual patching via security modules can serve as interim controls. Always prioritize the official vendor patch.