CVE advisoryKnown Exploit
CVE-2026-45247
Mirasvit Cache Warmer PHP Object Injection Remote Code Execution.
Halo Surface Signal: 5 out of 5 — more likely to be public-facing.
A PHP object injection vulnerability exists in Mirasvit Full Page Cache Warmer for Magento 2, allowing unauthenticated attackers to execute arbitrary code remotely by sending a crafted serialized PHP object in a cookie. This exploit leverages unrestricted calls to PHP's `unserialize()` function, potentially leading to