Description
Mirasvit Full Page Cache Warmer for Magento 2 before version 1.11.12 contains a PHP object injection vulnerability that allows unauthenticated attackers to achieve remote code execution by supplying a crafted serialized PHP object in the CacheWarmer cookie. Attackers can exploit the unrestricted call to PHP's native unserialize() function combined with gadget chains available in Magento and its dependencies to execute arbitrary code on the server.
Published: 2026-05-26
Score: 9.3 Critical
EPSS: 1.5% Low
KEV: Yes
Impact: n/a
Action: n/a
AI Analysis

Impact

Mirasvit Full Page Cache Warmer for Magento 2 contains a PHP object injection flaw that allows attackers to supply a crafted serialized object in the CacheWarmer cookie. The vulnerability arises from an unrestricted call to PHP's unserialize() function coupled with vulnerable gadget chains in Magento and its dependencies. Exploitation yields arbitrary code execution on the web server, compromising confidentiality, integrity, and availability of the entire application. This vulnerability corresponds to CWE-502.

Affected Systems

The affected product is Mirasvit Full Page Cache Warmer for Magento 2. All versions released before 1.11.12 are vulnerable. Users who have not yet applied the 1.11.12 update are at risk.

Risk and Exploitability

The CVSS score of 9.3 highlights a high severity vulnerability. The EPSS score of 2% indicates a low exploitation probability, yet the flaw can still be triggered without authentication by simply setting a malicious value in the CacheWarmer cookie. The vulnerability is listed in the CISA KEV catalog, and the unrestricted unserialize() call combined with gadget chains provides a clear attack path for remote code execution.

Generated by OpenCVE AI on June 17, 2026 at 07:38 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the official Mirasvit Full Page Cache Warmer patch to version 1.11.12 or later.
  • If an upgrade cannot be performed immediately, remove or disable the Mirasvit Cache Warmer module to eliminate the vulnerable code path.
  • Configure a web application firewall rule to detect and block payloads containing serialized PHP objects in the CacheWarmer cookie when inspection of the module cannot be avoided.

Generated by OpenCVE AI on June 17, 2026 at 07:38 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 03 Jun 2026 20:00:00 +0000

Type Values Removed Values Added
First Time appeared Mirasvit full Page Cache Warmer
CPEs cpe:2.3:a:mirasvit:full_page_cache_warmer:*:*:*:*:*:magento:*:*
Vendors & Products Mirasvit full Page Cache Warmer

Wed, 03 Jun 2026 18:30:00 +0000

Type Values Removed Values Added
References
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

 ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'active', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 03 Jun 2026 17:30:00 +0000

Type Values Removed Values Added
Metrics kev

{'dateAdded': '2026-06-03T00:00:00+00:00', 'dueDate': '2026-06-06T00:00:00+00:00'}

Wed, 27 May 2026 10:30:00 +0000

Type Values Removed Values Added
First Time appeared Mirasvit
Mirasvit full Page Cache Warmer For Magento 2
Vendors & Products Mirasvit
Mirasvit full Page Cache Warmer For Magento 2

Tue, 26 May 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 26 May 2026 14:30:00 +0000

Type Values Removed Values Added
Description Mirasvit Full Page Cache Warmer for Magento 2 before version 1.11.12 contains a PHP object injection vulnerability that allows unauthenticated attackers to achieve remote code execution by supplying a crafted serialized PHP object in the CacheWarmer cookie. Attackers can exploit the unrestricted call to PHP's native unserialize() function combined with gadget chains available in Magento and its dependencies to execute arbitrary code on the server.
Title Mirasvit Cache Warmer for Magento < 1.11.12 PHP Object Injection
Weaknesses CWE-502
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Mirasvit Full Page Cache Warmer Full Page Cache Warmer For Magento 2
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-04T03:55:44.156Z

Reserved: 2026-05-11T14:14:49.613Z

Link: CVE-2026-45247

cve-icon Vulnrichment

Updated: 2026-05-26T15:22:59.350Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-26T15:16:39.263

Modified: 2026-06-03T19:55:00.583

Link: CVE-2026-45247

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-17T07:45:03Z

Weaknesses
  • CWE-502

    Deserialization of Untrusted Data