Skip to main content

Mirasvit Cache Warmer EUVD-2026-31837

| CVE-2026-45247 CRITICAL
Deserialization of Untrusted Data (CWE-502)
2026-05-26 VulnCheck GHSA-rg8p-9rpg-r32p
PHP Adobe Deserialization RCE Full Page Cache Warmer For Magento 2
9.3
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
9.3 CRITICAL
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

4
Analysis Generated
Jun 08, 2026 - 08:37 vuln.today
Added to CISA KEV
Jun 03, 2026 - 17:31 CISA
CVSS changed
May 26, 2026 - 15:22 NVD
9.8 (CRITICAL) 9.3 (CRITICAL)
CVE Published
May 26, 2026 - 14:15 nvd
CRITICAL 9.3

DescriptionCVE.org

Mirasvit Full Page Cache Warmer for Magento 2 before version 1.11.12 contains a PHP object injection vulnerability that allows unauthenticated attackers to achieve remote code execution by supplying a crafted serialized PHP object in the CacheWarmer cookie. Attackers can exploit the unrestricted call to PHP's native unserialize() function combined with gadget chains available in Magento and its dependencies to execute arbitrary code on the server.

AnalysisAI

Remote code execution in Mirasvit Full Page Cache Warmer for Magento 2 before 1.11.12 allows unauthenticated attackers to execute arbitrary code by sending a crafted serialized PHP object in the CacheWarmer cookie. The flaw is confirmed actively exploited (CISA KEV) with publicly available exploit code, and successful exploitation chains Magento and dependency gadget chains via an unsafe call to unserialize(). …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Scan internet for Magento 2 storefronts
Delivery
Fingerprint Mirasvit Cache Warmer presence
Exploit
Send HTTP request with malicious CacheWarmer cookie
Install
Trigger unserialize() on attacker payload
C2
POP gadget chain executes as web user
Execute
Deploy webshell or payment skimmer
Impact
Exfiltrate customer and payment data
Sign in to reveal

Vulnerability AssessmentAI

Exploitation The vulnerable site must have the Mirasvit Full Page Cache Warmer module installed and enabled at a version below 1.11.12, deployed on Magento 2 - Magento core without this third-party extension is not affected. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N with VC:H/VI:H/VA:H) indicates a remote, low-complexity, no-privilege, no-interaction attack with total confidentiality, integrity, and availability impact on the vulnerable component - the maximum severity signal. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker scans the internet for Magento 2 storefronts, identifies those running the Mirasvit Cache Warmer module, and sends a single HTTP request to a public storefront URL with a CacheWarmer cookie containing a crafted serialized PHP object that triggers a known POP gadget chain in Magento or a Composer dependency. The unserialize() call instantiates the gadget chain on the server and yields arbitrary code execution as the PHP-FPM/web user, typically leading to webshell deployment, skimmer injection into checkout pages, or theft of customer PII and payment data. …
Remediation Upgrade the Mirasvit Full Page Cache Warmer module to vendor-released patch version 1.11.12 or later via Composer (composer update mirasvit/module-cache-warmer), then run setup:upgrade and clear caches; the vendor changelog at https://mirasvit.com/package/changelog/?package=mirasvit/module-cache-warmer documents the fix. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

24 hours: Audit all Magento 2 deployments to identify instances running Mirasvit Full Page Cache Warmer and document current versions. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-49952 CRITICAL POC
9.3 Jun 15

Authentication bypass in Discuz! X5.0 releases 20260320 through 20260501 allows unauthenticated remote attackers to acce
CVE-2026-49954 HIGH POC
8.6 Jun 15

Authenticated remote code execution in Discuz! X5.0 releases 20260320 through 20260501 allows administrators to chain a

CVE-2026-49768 CRITICAL
9.8 Jun 15

Unauthenticated PHP Object Injection in the Happyforms WordPress plugin (versions <= 1.26.13) allows remote attackers to
CVE-2026-27053 CRITICAL
9.8 Jun 15

Unauthenticated PHP Object Injection in the Broadcast Live Video WordPress plugin (versions prior to 7.1.3) allows remot
CVE-2026-49104 CRITICAL
9.8 Jun 15

Unauthenticated PHP object injection in the WordPress plugin 'Integration for Keap/Infusionsoft and Contact Form 7, WPFo

Share

EUVD-2026-31837 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy