Critical vulnerability in Mirasvit Cache Warmer for Magento
Sansec discovered CVE-2026-45247 (CVSS 9.8), an unauthenticated PHP object injection vulnerability in Mirasvit Cache Warmer for Magento/Adobe Commerce. The extension deserializes a client-controlled CacheWarmer cookie value using PHP’s native unserialize() with no class restrictions, on every storefront request regardless of auth state. An attacker can supply a crafted gadget chain using classes already present in Magento’s dependency tree to achieve remote code execution. Approximately 6,000+ stores are exposed; patched version 1.11.12 was released May 25, 2026. Detection: look for CacheWarmer cookie values matching CacheWarmer:(Tz|Qz|YT) — base64-encoded serialized PHP objects.
This post is licensed under CC BY 4.0 by the author.