CVE-2026-45247
Critical (CVSS 9.8) unauthenticated PHP object injection flaw in the Mirasvit Full Page Cache Warmer extension for Magento 2 and Adobe Commerce, enabling remote code execution.
Last refreshed: 7 June 2026 · Appears in 1 active topic
Why did a Magento caching cookie become a no-login path to complete server takeover?
Timeline for CVE-2026-45247
Magento RCE forces 9-day patch race
Cybersecurity: Threats and Defences- What is CVE-2026-45247 and how dangerous is it?
- CVE-2026-45247 is a CVSS 9.8 critical flaw in the Mirasvit Full Page Cache Warmer extension for Magento 2 and Adobe Commerce. It allows any attacker on the internet to take complete control of a Magento store's server without needing a password, by sending a specially crafted cookie. CISA listed it as actively exploited on 3 June 2026.Source: CISA / The Hacker News
- How does the CVE-2026-45247 exploit work technically?
- The Mirasvit Cache Warmer extension passes the CacheWarmer cookie value through PHP's unserialise() function without type-checking. An attacker crafts a malicious serialised PHP object containing code they want to execute. When the extension deserialises that object, PHP instantiates attacker-controlled classes and executes the embedded payload, giving the attacker Remote Code Execution on the server.Source: CISA / security research
- Which countries were affected by CVE-2026-45247 attacks?
- Sansec and Imperva confirmed active exploitation of CVE-2026-45247 against gaming and business sites in the United States, the United Kingdom, France and Australia. The attacks were observed between Adobe's 25 May 2026 patch and CISA's 3 June KEV listing.Source: The Hacker News / Sansec / Imperva
- Do I need to update Mirasvit Cache Warmer if I run a Magento store?
- Yes, immediately. Any Magento 2 or Adobe Commerce store running the Mirasvit Full Page Cache Warmer extension before the 25 May 2026 patch is exposed to a CVSS 9.8 unauthenticated Remote Code Execution flaw. Active attacks were confirmed in multiple countries. Apply the extension update and audit server logs for signs of compromise.Source: CISA / Adobe
Background
CVE-2026-45247 is a CVSS 9.8 critical vulnerability in the Mirasvit Full Page Cache Warmer extension for Magento 2 and Adobe Commerce. The flaw stems from unsafe PHP deserialisation: the extension processes a user-supplied serialised object in the CacheWarmer cookie without type-checking, allowing an attacker to craft a payload that triggers PHP object injection and achieve Remote Code Execution (RCE) on the server — without needing any login credentials.
Adobe shipped a patch on 25 May 2026. CISA listed the flaw in its Known Exploited Vulnerabilities (KEV) catalogue on 3 June 2026, setting a 6 June deadline for US Federal Civilian Executive Branch (FCEB) agencies — nine days after the fix and before most private e-commerce operators had finished their patching cycle. Sansec and Imperva confirmed active exploitation against gaming and business sites in the United States, the United Kingdom, France and Australia within that nine-day window.
CVE-2026-45247 exemplifies the structural vulnerability of Magento's third-party extension ecosystem. Adobe's Marketplace review process checks compatibility and code quality rather than exploitable PHP deserialisation patterns, leaving extension vendors as independent security actors. A CVSS 9.8 no-authentication flaw in a widely-deployed caching extension generates automated proof-of-concept scripts within approximately 72 hours of public disclosure, collapsing the exploitation window well below the 30-day EPSS-predicted norm. The nine-day patch-to-federal-mandate timeline set a new enforcement benchmark for third-party extension CVEs.