CVE-2026-45247

Warnung

Medienbericht

EPSS 27.55%
Veröffentlicht 26.05.2026 14:15:33
Zuletzt bearbeitet 03.06.2026 19:55:00
Quelle disclosure@vulncheck.com
CVE-Watchlists
Login
Unerledigt
Login

Mirasvit Cache Warmer for Magento < 1.11.12 PHP Object Injection

Mirasvit Full Page Cache Warmer for Magento 2 before version 1.11.12 contains a PHP object injection vulnerability that allows unauthenticated attackers to achieve remote code execution by supplying a crafted serialized PHP object in the CacheWarmer cookie. Attackers can exploit the unrestricted call to PHP's native unserialize() function combined with gadget chains available in Magento and its dependencies to execute arbitrary code on the server.

Betroffene Produkte Warnungen 1 Metriken 3 CWE 1 Referenzen 9

NVD 1 VulnDex Vulnerability Enrichment 0

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Mirasvit ≫ Full Page Cache Warmer SwPlatformmagento Version < 1.11.12

03.06.2026: CISA Known Exploited Vulnerabilities (KEV) Catalog

Mirasvit Full Page Cache Warmer Deserialization of Untrusted Data Vulnerability

Schwachstelle

Mirasvit Full Page Cache Warmer contains a deserialization of untrusted data vulnerability that could allow unauthenticated attackers to achieve remote code execution by supplying a crafted serialized PHP object in the CacheWarmer cookie.

Beschreibung

Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Erforderliche Maßnahmen

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	27.55%	0.978

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
disclosure@vulncheck.com	9.3	0	0	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
disclosure@vulncheck.com	9.8	3.9	5.9	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE-502 Deserialization of Untrusted Data

The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.

Für Zugriff zu Vulnerability Intelligence ist ein VulnDex Zugang erforderlich.

VulnDex Intel

Media Report

05.06.2026 12:52

https://sansec.io/research/mirasvit-cache-warmer-object-injection

Third Party Advisory

https://mirasvit.com/package/changelog/?package=mirasvit/module-cache-warmer

Release Notes

https://www.vulncheck.com/advisories/mirasvit-cache-warmer-for-magento-php-object-injection

Third Party Advisory

https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-45247

US Government Resource

https://www.imperva.com/blog/imperva-customers-protected-against-cve-2026-45247-in-mirasvit-full-page-cache-warmer-for-magento/

Third Party Advisory

https://nvd.nist.gov/vuln/detail/CVE-2026-45247

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2026-45247

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2026-45247

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2026-45247

03.06.2026: CISA Known Exploited Vulnerabilities (KEV) Catalog