Threat feed
CVE-2026-45247 — unauthenticated RCE in a Magento extension via PHP object injection
CVE-2026-45247: PHP object injection (deserialization of untrusted data, CWE-502) in the Mirasvit Full Page Cache Warmer Magento 2 extension before 1.11.12 → unauthenticated RCE, CVSS 9.3. What it is, the affected range, and the fixes to do now — defensively, without attack steps.
A bulletin on an actively exploited vulnerability (listed in CISA KEV). What happens, the affected range, and the fixes — explained defensively, with no attack steps.
- CVE
- CVE-2026-45247
- Severity
- Critical (CVSS 9.3 / v4.0)
- Class
- PHP object injection (deserialization of untrusted data, CWE-502)
- Impact
- Unauthenticated remote code execution (RCE)
- Affected
- Mirasvit Full Page Cache Warmer for Magento 2 — before 1.11.12
- Real fix
- Update to 1.11.12 or later
Why neglect is dangerous
Unauthenticated RCE is a prime target for blind scanners (that's why it's KEV-listed). "We're too small to be targeted" doesn't hold — scanners sweep the whole internet mechanically.
What the vulnerability is (PHP object injection)
PHP has serialize to stringify data and unserialize to restore it. Deserializing untrusted input as-is lets an attacker pass "an object that causes unwanted side effects when restored." During restoration (magic methods, etc.), unintended behavior chains together and can reach code execution — that's PHP object injection (CWE-502).
✗ Restore untrusted input
external input → unserialize into an object → restore chain → code execution
✓ Treat as data
accept external input only as data (JSON, etc.) → never reconstruct objects
The affected component is a cache-warming extension for Magento 2. The attacker reaches it without authentication, and CVSS rates it 9.3 — worst class.
Affected range
| Item | Detail |
|---|---|
| Extension | Mirasvit Full Page Cache Warmer for Magento 2 |
| Affected versions | before 1.11.12 |
| Fixed version | 1.11.12 and later |
| Precondition | No authentication required |
| Impact reached | Remote code execution (RCE) |
Fixes
Update to 1.11.12+ (top priority, the real fix)
Buy time with defense in depth
Check for compromise
Inventory extensions + machine CVE monitoring
ITD's view: design the deserialization away
This class never dies — because it's "convenient" to restore external input directly. ITD's stance is plain: never create a place that unserializes untrusted data. Accept external input only as data (e.g. json_decode), never to reconstruct objects. Then this class vanishes by design.
Read next
- Glossary: What is RCE · What is CVE · What is CVSS
- Feed: Threat feed
FAQ
QWhat does CVE-2026-45247 allow?
An unauthenticated attacker can execute arbitrary code (RCE) on a Magento site running the affected extension — a direct path to defacement, data theft, and a foothold into other systems. It's a worst-class vulnerability.
QWhat's the most reliable fix?
Update the 'Mirasvit Full Page Cache Warmer for Magento 2' extension to 1.11.12 or later. The update is the real closure; config changes and a WAF are time-buying defense-in-depth until you can patch.
QWhat is PHP object injection?
Deserializing untrusted input as-is (via unserialize, etc.) so an attacker-supplied object gets reconstructed, chaining into unintended behavior (CWE-502). The real defense is to never deserialize untrusted data.