—–BEGIN PGP SIGNED MESSAGE—–

Hash: SHA256

Remote Code Execution Vulnerability in Mirasvit Full Page Cache Warmer for Magento

Indian – Computer Emergency Response Team (https://www.cert-in.org.in)

Severity Rating: CRITICAL

Software Affected

Mirasvit Cache Warmer for Magento 2 versions prior to 1.11.12

Overview

A vulnerability has been reported in Mirasvit Cache Warmer for Magento 2 which could be exploited by an attacker to execute arbitrary code on the targeted system.

Target Audience:

All end-user organizations and individuals using affected versions of Mirasvit Full Page Cache Warmer.

Risk Assessment:

High risk of remote code execution, unauthorized access, and potential data manipulation.

Impact Assessment:

Potential for service unavailability, sensitive information disclosure, and data manipulation.

Description

Mirasvit Full Page Cache Warmer for Magento 2 is a cache preloading and optimization extension designed to improve website performance by automatically warming and refreshing cached pages.

This vulnerability exists in the Mirasvit Full Page Cache Warmer due to the deserialization of untrusted data. An attacker could exploit this by sending especially crafted serialized PHP object in the CacheWarmer cookie.

Successful exploitation of this vulnerability could allow a remote attacker to execute arbitrary code on the targeted system.

Note: This vulnerability is being actively exploited in the wild. Users are strongly advised to apply the latest patches immediately.

Solution

Apply appropriate updates as mentioned by the vendor:

https://mirasvit.com/package/changelog/?package=mirasvit/module-cache-warmer

Vendor Information

Mirasvit

https://mirasvit.com/package/changelog/?package=mirasvit/module-cache-warmer

References

Mirasvit

https://mirasvit.com/package/changelog/?package=mirasvit/module-cache-warmer

CVE Name

CVE-2026-45247

– —

Thanks and Regards,

CERT-In

Incident Response Help Desk

e-mail: incident@cert-in.org.in

Phone: +91-11-22902657

Toll Free Number: 1800-11-4949

Toll Free Fax : 1800-11-6969

Web: http://www.cert-in.org.in

PGP Fingerprint: A768 083E 4475 5725 B81A A379 2156 C0C0 B620 D0B4

PGP Key information:

https://www.cert-in.org.in/s2cMainServlet?pageid=CONTACTUS

Postal address:

Indian Computer Emergency Response Team (CERT-In)

Ministry of Electronics and Information Technology

Government of India

Electronics Niketan

6, C.G.O. Complex

New Delhi-110 003

—–BEGIN PGP SIGNATURE—–

iQIzBAEBCAAdFiEE6r4Iam/Ey0c/KakL3jCgcSdcys8FAmoi4N0ACgkQ3jCgcSdc

ys+O6w//QjZXy5sE67HCWpC96XtR+gTp17l+WlcFLyxZ33zixQJD74W8JwDVXX2V

hY8k3NBglaIwX50IL+OkSa7ONHmbavwnb1MetbJ6xNlQqaObjb9HYOQj2lZc8LNh

OynBnb+dJKVsnmbqY+UHd3Nf2oavq9FtjHfduyXKL2NmDv8Hd/JE+EORbj9imegC

m2UpHqNA3NA7kAk6SdfV5/aaSKWqtKlgvxTlpVefDFZq+2savsmkHFu/cM1HcnHg

6YqnqJV5WiTrb87kbaYvM6wTSG35bSzrwe6YcUnwky69PcPUHhiEcKqsimpUZB3k

f7ZpYjQiMUBRWEp3C/ZYJsftNl1aCTJLLxK56IpQn7lbFbwcOUhx7fvFUAbkH7Qw

Lxy71eeKIp8EcGqm89HGlNwEHBe0TS6sqP9CjYWtbC6jBqdYcD1neH9igPymvf7k

g3zeJN2In8TJqRWoaoPym/yfMUGaX3yHWaP4OacCyLVVR1d6DHaOScDHPwQj2qB4

JEzvBWvN8Syk0bLco589C6T2RM4VLmkxB3ZATNF1y82swbWUHf9AVvNt8IWAzl2s

usnFiVCkKu3wEWCMMPAWZsE0N1aIinjzOc/IKKizZdH7kCQOU1/mDKbrBBSTCo3O

wV3v1ts7NEuY7n8fb9nRAfbWcmYxNIE95Ul1JD0a0LEuWlt45t4=

=1XfI

—–END PGP SIGNATURE—–