U.S. CISA adds Mirasvit Full Page Cache Warmer flaw to its Known Exploited Vulnerabilities catalog

CISA added CVE-2026-45247 — a critical PHP object injection in the Mirasvit Full Page Cache Warmer Magento extension (pre-1.11.12, CVSS 9.3) — to its Known Exploited Vulnerabilities catalog; the flaw allows unauthenticated attackers to supply a crafted serialized object in the CacheWarmer cookie that reaches PHP's unserialize() and can lead to remote code execution via gadget chains. Researchers warn thousands of stores may be affected, provide a clear request signature (CacheWarmer:(Tz|Qz|YT) base64 markers) for detection, and CISA ordered federal agencies to remediate by June 6, 2026.