A critical security vulnerability has been discovered in a widely used Magento caching plugin that allows attackers to remotely execute malicious code with no login, configuration changes, or admin access required.
Security researchers at Sansec uncovered an unauthenticated PHP object injection flaw in Mirasvit Cache Warmer, a full-page cache extension used by thousands of Magento and Adobe Commerce storefronts.
The vulnerability, tracked as CVE-2026-45247, carries a maximum-severity CVSS score of 9.8 (Critical).
Magento Cache Plugin Vulnerability
Mirasvit Cache Warmer is designed to preload cached versions of store pages for different visitor types, varying by currency, customer group, and other session states.
To do this, it packs session details into a cookie and sends them with each crawl request. On the server side, a plugin reads that cookie and adjusts the session accordingly before rendering the page.
The critical problem: the plugin passes part of that cookie value directly to PHP’s native unserialize() function, with no class restrictions and no authentication checks.
Because the cookie value is entirely client-side, an attacker can craft it to inject arbitrary PHP objects. This is known as PHP Object Injection (CWE-502).
When combined with a gadget chain, malicious logic built from classes already bundled within Magento and its dependencies, this object injection escalates directly into Remote Code Execution (RCE).
The attack fires on every storefront request, not just internal cache-warming traffic, making any public-facing Magento store a potential target.
All versions of Mirasvit Cache Warmer before 1.11.12 are vulnerable. The extension ships bundled inside several other Mirasvit packages, meaning many merchants may be running it without realizing it.
Sansec’s scanning found approximately 6,000 stores running Mirasvit extensions, with the actual number likely far higher, as CDNs like Cloudflare mask many installations from external fingerprinting.
The exploit leaves a recognizable trail in web logs. Security teams should watch for storefront requests carrying a CacheWarmer cookie whose value begins with CacheWarmer: followed by a base64 string.
Serialized PHP objects typically base64-encode to strings starting with Tz, Qz, or YT — making the pattern CacheWarmer:(Tz|Qz|YT) a strong indicator of an active exploitation attempt.
Mitigations
Mirasvit released the patched version 1.11.12 on May 25, 2026, within days of being notified. Store owners should act immediately:
Update now: Upgrade Mirasvit Cache Warmer to version 1.11.12 or later.
Block attacks: Deploy a web application firewall capable of blocking serialization-based exploit attempts.
Scan for compromise: Check for webshells, backdoors, or unexpected PHP files in pub/ and other web-accessible directories.
Audit installed packages: Confirm whether Cache Warmer is bundled inside other Mirasvit modules on your store.
Sansec’s Shield customers were already protected from April 24, 2026, the same day the flaw was discovered. The CVE was formally assigned on May 26, 2026.
Given that exploitation requires zero authentication and can be fully automated, unpatched stores remain at serious risk of full server compromise.
Free Webinar on OWASP API Top 10 and Guide to Close Visibility Gaps With WAAP
