Description
Mirasvit Full Page Cache Warmer for Magento 2 before version 1.11.12 contains a PHP object injection vulnerability that allows unauthenticated attackers to achieve remote code execution by supplying a crafted serialized PHP object in the CacheWarmer cookie. Attackers can exploit the unrestricted call to PHP's native unserialize() function combined with gadget chains available in Magento and its dependencies to execute arbitrary code on the server.
Published: 2026-05-26
Score: 9.3 Critical
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Mirasvit Full Page Cache Warmer for Magento 2 contains a PHP object injection flaw that allows attackers to supply a crafted serialized object in the CacheWarmer cookie. The vulnerability arises from an unrestricted call to PHP's unserialize() function coupled with vulnerable gadget chains in Magento and its dependencies. Exploitation yields arbitrary code execution on the web server, compromising confidentiality, integrity, and availability of the entire application.

Affected Systems

The affected product is Mirasvit Full Page Cache Warmer for Magento 2. All versions released before 1.11.12 are vulnerable. Users who have not yet applied the 1.11.12 update are at risk.

Risk and Exploitability

The CVSS score of 9.3 highlights a high severity vulnerability. EPSS data is not available, but the flaw can be exploited without authentication by simply setting a malicious value in the CacheWarmer cookie, indicating a high likelihood of remote exploitation in a suitably configured environment. The vulnerability is not listed in the CISA KEV catalog, but the unrestricted unserialize() call combined with gadget chains provides a clear attack path for remote code execution.

Generated by OpenCVE AI on May 26, 2026 at 15:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the official Mirasvit Full Page Cache Warmer patch to version 1.11.12 or later.
  • If an upgrade cannot be performed immediately, remove or disable the Mirasvit Cache Warmer module to eliminate the vulnerable code path.
  • Configure a web application firewall rule to detect and block payloads containing serialized PHP objects in the CacheWarmer cookie when inspection of the module cannot be avoided.

Generated by OpenCVE AI on May 26, 2026 at 15:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 26 May 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 26 May 2026 14:30:00 +0000

Type Values Removed Values Added
Description Mirasvit Full Page Cache Warmer for Magento 2 before version 1.11.12 contains a PHP object injection vulnerability that allows unauthenticated attackers to achieve remote code execution by supplying a crafted serialized PHP object in the CacheWarmer cookie. Attackers can exploit the unrestricted call to PHP's native unserialize() function combined with gadget chains available in Magento and its dependencies to execute arbitrary code on the server.
Title Mirasvit Cache Warmer for Magento < 1.11.12 PHP Object Injection
Weaknesses CWE-502
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-05-26T15:23:03.586Z

Reserved: 2026-05-11T14:14:49.613Z

Link: CVE-2026-45247

cve-icon Vulnrichment

Updated: 2026-05-26T15:22:59.350Z

cve-icon NVD

Status : Received

Published: 2026-05-26T15:16:39.263

Modified: 2026-05-26T15:16:39.263

Link: CVE-2026-45247

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-26T15:30:08Z

Weaknesses