Mirasvit Cache Warmer for Magento < 1.11.12 PHP Object Injection

9.3 / 10

CRITICAL

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Description

Mirasvit Full Page Cache Warmer for Magento 2 before version 1.11.12 contains a PHP object injection vulnerability that allows unauthenticated attackers to achieve remote code execution by supplying a crafted serialized PHP object in the CacheWarmer cookie. Attackers can exploit the unrestricted call to PHP's native unserialize() function combined with gadget chains available in Magento and its dependencies to execute arbitrary code on the server.

AI Analysis

PHP object injection vulnerability allowing remote code execution

Basic Information

ID CVE-2026-45247

Source VulnCheck

Published May 26, 2026 at 14:15

Modified May 26, 2026 at 15:23

Affected Product

Vendor Mirasvit

Product Full Page Cache Warmer for Magento 2

Affected Versions Mirasvit Full Page Cache Warmer for Magento 2 0

CWE Classification

CWE-502

AI Assessment

AI Score 9.3 / 10

AI Severity Critical

Vendor Mirasvit

Product Full Page Cache Warmer for Magento 2

Version < 1.11.12

References

{
    "lastseen": "",
    "description": "Mirasvit Full Page Cache Warmer for Magento 2 before version 1.11.12 contains a PHP object injection vulnerability that allows unauthenticated attackers to achieve remote code execution by supplying a crafted serialized PHP object in the CacheWarmer cookie. Attackers can exploit the unrestricted call to PHP's native unserialize() function combined with gadget chains available in Magento and its dependencies to execute arbitrary code on the server.",
    "published": "2026-05-26T14:15:33.596Z",
    "modified": "2026-05-26T15:23:03.586Z",
    "type": "cve",
    "title": "Mirasvit Cache Warmer for Magento < 1.11.12 PHP Object Injection",
    "source": "VulnCheck",
    "references": "https://sansec.io/research/mirasvit-cache-warmer-object-injection\nhttps://mirasvit.com/package/changelog/?package=mirasvit/module-cache-warmer\nhttps://www.vulncheck.com/advisories/mirasvit-cache-warmer-for-magento-php-object-injection",
    "id": "CVE-2026-45247",
    "bulletinFamily": "",
    "cwe": [
        "CWE-502"
    ],
    "cvelist": null,
    "sourceData": "Mirasvit Full Page Cache Warmer for Magento 2 0",
    "sourceHref": "",
    "cvss": {
        "score": 9.3,
        "severity": "CRITICAL",
        "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Full Page Cache Warmer for Magento 2",
    "version": "0",
    "vendor": "Mirasvit",
    "ai_description": "PHP object injection vulnerability allowing remote code execution",
    "ai_severity": "Critical",
    "ai_vendor": "Mirasvit",
    "ai_product": "Full Page Cache Warmer for Magento 2",
    "ai_version": "< 1.11.12",
    "ai_score": 9.3
}

Mirasvit Cache Warmer for Magento < 1.11.12 PHP Object Injection_CVE-2026-45247