// #php-deserialization

CVE-2026-45247: CISA Adds Mirasvit Magento Cache Warmer RCE to KEV — Unauthenticated PHP Deserialization Exploited in Wild

CISA added CVE-2026-45247 to the Known Exploited Vulnerabilities catalogue on 3 June, confirming active exploitation of a CVSS 9.8 PHP deserialization vulnerability in the Mirasvit Full Page Cache Warmer extension for Magento 2. Attackers exploit a malicious serialised cookie value to execute arbitrary code without authentication. The patch has been available since 25 May; organisations running Mirasvit FPC Warmer must update immediately.