Detections
Analytics

Mirasvit Cache Warmer for Magento < 1.11.12 Remote Code Execution

critical Web App Scanning Plugin ID 115261

Synopsis

Mirasvit Cache Warmer for Magento < 1.11.12 Remote Code Execution

Description

The Mirasvit Cache Warmer extension installed on the remote Magento / Adobe Commerce host is affected by an unauthenticated PHP object injection vulnerability. A server-side plugin reads the 'CacheWarmer' cookie on every storefront request and passes part of its value to PHP's native unserialize() without restricting which classes may be instantiated. As the cookie value is client-controlled, an attacker can inject arbitrary objects and, combined with an available gadget chain, achieve remote code execution without authentication.

Solution

Upgrade to Mirasvit Cache Warmer 1.11.12 or later.

See Also

https://mirasvit.com/magento-2-extensions/full-page-cache-warmer.html

https://sansec.io/research/mirasvit-cache-warmer-object-injection

Plugin Details

Severity: Critical

ID: 115261

Type: Check Based

Published: 6/4/2026

Updated: 6/4/2026

Scan Template: basic, full, pci, scan

Risk Information

VPR

Risk Factor: Critical

Score: 9.0

CVSS v2

Risk Factor: Critical

Base Score: 10

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

CVSS Score Source: CVE-2026-45247

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS Score Source: CVE-2026-45247

CVSS v4

Risk Factor: Critical

Base Score: 9.3

Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CVSS Score Source: CVE-2026-45247

Vulnerability Information

CPE: cpe:2.3:a:mirasvit:full_page_cache_warmer:*:*:*:*:*:magento:*:*

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 5/25/2026

Vulnerability Publication Date: 5/25/2026

CISA Known Exploited Vulnerability Due Dates: 6/6/2026

Reference Information

CVE: CVE-2026-45247