Alerts

Critical Vulnerability in Mirasvit Full Page Cache Warmer for Magento 2

5 June 2026

Mirasvit released a security update addressing a critical vulnerability in the Full Page Cache Warmer extension for Magento 2. Users and administrators of affected products are advised to update to the latest versions immediately.

Mirasvit is the product owner of Magento 2, an e-commerce platform. Mirasvit released a security update to address a critical PHP object injection vulnerability (CVE-2026-45247) affecting the Mirasvit Full Page Cache Warmer extension for Magento 2. This vulnerability has a Common Vulnerability Scoring System (CVSS v3.1) score of 9.8 out of 10.

Impact

Due to unsafe deserialisation of attacker-controlled data supplied through the CacheWarmer cookie, an unauthenticated attacker could inject a crafted serialised PHP object to perform remote code execution on the affected system.

Known Exploitation

This vulnerability is being actively exploited in the wild.

Affected Products

This vulnerability affects Mirasvit Full Page Cache Warmer for Magento 2 versions prior to 1.11.12.

Mitigation

Users and administrators of affected products are advised to update to the latest versions immediately.

References

https://mirasvit.com/package/changelog/?package=mirasvit/module-cache-warmer

https://nvd.nist.gov/vuln/detail/CVE-2026-45247

https://www.securityweek.com/mirasvit-vulnerability-exploited-to-execute-code-on-magento-servers/

Government officials will never ask you to transfer money or disclose bank log-in details over a phone call.

Critical Vulnerability in Mirasvit Full Page Cache Warmer for Magento 2

Reach us