The Cybersecurity and Infrastructure Security Agency (CISA) of the US on Wednesday added a critical flaw affecting Mirasvit Cache Warmer, a popular Magento full-page cache extension, to its catalog known as Known Exploited Vulnerabilities (KEV), following reports of an active exploit in the wild.
Vulnerability, followed by CVE-2026-45247 (CVSS score: 9.8), is a condition of not withdrawing untrusted data that could be used to execute malicious PHP code on the affected server.
“Mirasvit Full Page Cache Warmer contains unreliable data scraping that could allow unauthorized attackers to execute code execution by providing a crafted PHP object to the CacheWarmer cookie,” CISA said.
The flaw affects all versions of the extension prior to version 1.11.12. Episodes of this were released on May 25, 2026.
The addition of CVE-2026-45247 to the KEV catalog comes days after Sansec said a PHP object injection vulnerability could be exploited by any storefront application that hosts a crafted CacheWarmer cookie, which then removes part of the cookie’s value via PHP’s unserialize() function without requiring any administrative privileges.
“Because that value comes directly from the client, the attacker has control over what PHP rebuilds,” the Dutch security firm said. “This is PHP object injection (CWE-502). Combined with a series of gadgets from the Magento classes and their already shipped dependencies, object injection steps up remote code execution.”
Sansec said it has identified about 6,000 stores using Mirasvit extensions, although the exact number may be higher given content delivery networks (CDNs) such as Cloudflare’s masking.
Thales-owned Imperva has since disclosed that it has seen active exploits attempting to exploit CVE-2026-45247 by using PHP payloads sent via malicious HTTP requests.
“The viewed payloads contain base64-encoded serialized objects designed to trigger PHP Object Deserialization and achieve remote code execution via commonly abused gadget chains,” the company said. “The payloads attempt to invoke functions such as system() and current() to issue arbitrary commands to the underlying server. In several noted cases, attackers used test commands designed to ensure successful code execution.”
The task specifically identified gaming and business sites, with the US, UK, France, and Australia emerging as the most targeted countries. It is currently unknown who is carrying out the exploit attempts, although the ultimate goal appears to be to mark Magento vulnerabilities and ensure that remote code execution is possible.
Due to the active exploit, the agencies of the Federal Civilian Executive Branch (FCEB) were instructed to apply a fix by June 6, 2026. To detect possible exploit attempts, site owners are advised to check for storefront requests that contain a CacheWarmer cookie whose value contains the tag “CacheWarmer:” followed by Base64-encode.
“Compiled PHP objects are base64-encoded to values starting with Tz, Qz or YT, so a CacheWarmer cookie value like CacheWarmer:(Tz|Qz|YT) is a strong indicator of an exploit attempt,” Sansec added.
