// #ecommerce
3 articles
Magento and eCommerce Platform Security: Knowing What You Run and What You Owe Customers
CVE-2026-45247's CISA KEV status means organisations running Mirasvit Full Page Cache Warmer are now under a federal mandate to remediate — and should be asking whether their eCommerce platform inventory is accurate enough to comply. Magento deployments often span multiple versions, extension states, and customisation layers that make attack surface visibility a genuine challenge.
Magento Extension Supply Chain Risk: CVE-2026-45247 and the Third-Party Plugin Attack Surface
CVE-2026-45247 in the Mirasvit Full Page Cache Warmer illustrates a structural security problem in the Magento ecosystem: eCommerce site security is determined not just by the core platform version, but by every third-party extension installed. This guide covers how to assess and reduce the Magento extension attack surface.
CVE-2026-45247: CISA Adds Mirasvit Magento Cache Warmer RCE to KEV — Unauthenticated PHP Deserialization Exploited in Wild
CISA added CVE-2026-45247 to the Known Exploited Vulnerabilities catalogue on 3 June, confirming active exploitation of a CVSS 9.8 PHP deserialization vulnerability in the Mirasvit Full Page Cache Warmer extension for Magento 2. Attackers exploit a malicious serialised cookie value to execute arbitrary code without authentication. The patch has been available since 25 May; organisations running Mirasvit FPC Warmer must update immediately.