A critical vulnerability in the Mirasvit Full Page Cache Warmer extension for Magento/Adobe Commerce allows unauthenticated attackers to execute arbitrary code on affected servers. The flaw stems from unsafe deserialisation of a crafted PHP object passed via the CacheWarmer cookie, requiring no login or prior access. This vulnerability is actively being exploited in the wild, confirmed by CISA’s inclusion in its Known Exploited Vulnerabilities catalogue.

Architect’s Take: Identify any Magento or Adobe Commerce instances running the Mirasvit Full Page Cache Warmer extension and apply the vendor patch immediately ahead of the 6 June 2026 remediation deadline. Where patching is not immediately possible, implement a WAF rule to inspect and block malicious serialised PHP objects in the CacheWarmer cookie as an interim control.

Original advisory: CVE-2026-45247: Mirasvit Mirasvit Full Page Cache Warmer