Mirasvit
Mirasvit is a Magento extension vendor whose Full Page Cache Warmer module contained the PHP object-injection flaw CVE-2026-45247.
Last refreshed: 7 June 2026 · Appears in 1 active topic
How did a Magento caching add-on become a CVSS 9.8 threat to thousands of stores?
Timeline for Mirasvit
Shipped the CacheWarmer extension containing the PHP object-injection flaw
Cybersecurity: Threats and Defences: Magento RCE forces 9-day patch race- What is the Mirasvit Cache Warmer vulnerability?
- CVE-2026-45247 is a CVSS 9.8 unauthenticated Remote Code Execution flaw in the Mirasvit Full Page Cache Warmer extension for Magento 2 and Adobe Commerce. It allows an attacker to run arbitrary code on a store's server without needing a password, by sending a crafted cookie. The flaw was patched on 25 May 2026 and listed by CISA on 3 June.Source: CISA / The Hacker News
- Is my Magento store vulnerable to the Mirasvit Cache Warmer exploit?
- Any Magento 2 or Adobe Commerce store running the Mirasvit Full Page Cache Warmer extension before the 25 May 2026 patch is potentially vulnerable. Active attacks were confirmed by Sansec and Imperva against stores in the US, UK, France and Australia. Apply the patch immediately and check server logs for unusual PHP execution.Source: Sansec / Imperva
- Why did the Mirasvit flaw reach a 9.8 CVSS score?
- CVSS 9.8 reflects that the flaw requires no authentication, is remotely exploitable, and grants full code execution on the server. These three factors — no login needed, remotely reachable, complete compromise — are the maximum-severity combination in the CVSS scoring model.Source: CISA KEV catalogue
- How quickly was the Mirasvit Cache Warmer flaw exploited after patching?
- Within nine days. Adobe and Mirasvit shipped the patch on 25 May 2026; CISA added the flaw to its Known Exploited Vulnerabilities catalogue on 3 June with a 6 June federal deadline. Sansec and Imperva confirmed active attacks were already underway in that window.Source: CISA / Sansec
- What other extensions does Mirasvit make?
- Mirasvit builds a broad portfolio of Magento 2 extensions covering site search, product recommendations, merchandising, layered navigation, and performance tools. The Cache Warmer is one of several performance-focused extensions the company offers for high-traffic Magento storefronts.Source: Mirasvit.com
Background
Mirasvit came to international attention in June 2026 when its Full Page Cache Warmer extension for Magento 2 and Adobe Commerce was found to contain CVE-2026-45247, a CVSS 9.8 unauthenticated Remote Code Execution flaw. The vulnerability, caused by unsafe PHP deserialisation of a crafted cookie value, was patched on 25 May 2026 and listed on CISA's Known Exploited Vulnerabilities catalogue by 3 June — a nine-day window in which Sansec and Imperva confirmed active attacks against retail and gaming sites in the US, UK, France and Australia.
Mirasvit is a Ukrainian software house specialising in Magento extensions across performance, search and merchandising functions. Its Cache Warmer product pre-generates cached page versions to improve storefront load times, making it a common install across performance-conscious e-commerce operators. The vulnerability sits in the extension's handling of the CacheWarmer cookie, where attacker-controlled serialised PHP objects can trigger arbitrary code execution on the server without authentication.
The CVE-2026-45247 incident illustrates the structural security gap in Magento's third-party extension ecosystem: extensions are not subject to the same mandatory security-review gate as the core platform, meaning high-CVSS flaws in widely-deployed ADD-ons can reach thousands of production stores before any audit catches them. Adobe's Marketplace review process checks compatibility and code quality rather than exploitable deserialisation patterns, leaving extension vendors as independent security actors whose patch cadence directly determines how fast exposure spreads across the global Magento install base.