CVE-2026-45247— Mirasvit Cache Warmer for Magento < 1.11.12 PHP Object Injection
Possible ATT&CK Techniques 3AI
T1059 · Command and Scripting Interpreter T1068 · Exploitation for Privilege Escalation T1190 · Exploit Public-Facing ApplicationAffected Version Matrix 1
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Mirasvit | Full Page Cache Warmer for Magento 2 | < 1.11.12 | affected |
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-45247
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Mirasvit Cache Warmer for Magento < 1.11.12 PHP Object Injection
Source: NVD (National Vulnerability Database)
Vulnerability Description
Mirasvit Full Page Cache Warmer for Magento 2 before version 1.11.12 contains a PHP object injection vulnerability that allows unauthenticated attackers to achieve remote code execution by supplying a crafted serialized PHP object in the CacheWarmer cookie. Attackers can exploit the unrestricted call to PHP's native unserialize() function combined with gadget chains available in Magento and its dependencies to execute arbitrary code on the server.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Source: NVD (National Vulnerability Database)
Vulnerability Type
可信数据的反序列化
Source: NVD (National Vulnerability Database)
Vulnerability Title
Mirasvit Full Page Cache Warmer for Magento 2 代码问题漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Mirasvit Full Page Cache Warmer for Magento 2是美国Mirasvit公司的一个Magento缓存预热扩展。 Mirasvit Full Page Cache Warmer for Magento 2 1.11.12之前版本存在代码问题漏洞,该漏洞源于对CacheWarmer cookie中序列化PHP对象调用unserialize()函数时未加限制,未认证攻击者可通过Magento及其依赖中的小工具链实现远程代码执行。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| Mirasvit | Full Page Cache Warmer for Magento 2 | 0 ~ 1.11.12 | - |
II. Public POCs for CVE-2026-45247
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-45247
请登录查看更多情报信息。
News Coverage for CVE-2026-45247 (1)
- 🔗 Critical vulnerability in Mirasvit Cache Warmer for Magento | Sansec Read full article technical-description
Vendor Pages for CVE-2026-45247 (1)
Other References for CVE-2026-45247 (1)
IV. Related Vulnerabilities
Same weakness: CWE-502
- CVE-2026-45134
LangSmith Client SDK: Public prompt pull deserializes untrus - CVE-2026-47161
RELATE Vulnerable to Remote Code Execution (RCE) via Insecur - CVE-2026-44843
LangChain: Unsafe deserialization of attacker-controlled Lan - CVE-2026-24162
NVIDIA Transformers4Rec 代码问题漏洞 - CVE-2026-9497
changmingxie tcc-transaction Fastjson AutoType REST API Fast
V. Comments for CVE-2026-45247
No comments yet