CVE•Published 2026-05-26•Modified 2026-06-03•1 article on news•5 live references•NVD data
CVE-2026-45247Mirasvit · Full_page_cache_warmer
Vulnerability data via NVD (ingested)
CVSS v3.1
9.8
CRITICAL
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS percentile
—
Weaknesses (CWE)
Description
Mirasvit Full Page Cache Warmer for Magento 2 before version 1.11.12 contains a PHP object injection vulnerability that allows unauthenticated attackers to achieve remote code execution by supplying a crafted serialized PHP object in the CacheWarmer cookie. Attackers can exploit the unrestricted call to PHP's native unserialize() function combined with gadget chains available in Magento and its dependencies to execute arbitrary code on the server.
Timeline
Published 2026-05-26
Modified 2026-06-03
External references
Search for exposed instances
Shodan + Censys queries derived from NVD's CPE data. The vuln tag catches assets Shodan has explicitly linked to this CVE; the product / banner fingerprints find exposed instances even when the vuln tag was never applied (which is common).
Shodan · vuln tag0 hosts
vuln:CVE-2026-45247Hosts Shodan has explicitly fingerprinted as vulnerable.
Shodan · product
product:"Mirasvit Full Page Cache Warmer"All exposed Mirasvit Full Page Cache Warmer instances — cross-reference with the CVE's affected-version range.
Shodan · banner/body mention
http.html:"Full Page Cache Warmer"HTTP body or banner mentions "Full Page Cache Warmer" — catches deploys Shodan didn't identify as a product.
More intel sources (5)
Shodan report
vuln:CVE-2026-45247Country / ASN / product breakdown for the vuln query.
Censys
vulnerabilities.cve_id: CVE-2026-45247Censys host search filtered to this CVE id.
grep.app
CVE-2026-45247Public source-code mentions — fast PoC discovery.
GitHub code
CVE-2026-45247GitHub code search for direct mentions.
Google dork
"CVE-2026-45247" exploit -site:nvd.nist.govWrite-ups and news, NVD excluded.