CVE-2026-45247: Mirasvit Full Page Cache Warmer Deserialization of Untrusted Data Vulnerability
Summary
A deserialization of untrusted data vulnerability has been identified in Mirasvit Full Page Cache Warmer. This flaw allows unauthenticated attackers to achieve remote code execution by sending a crafted serialized PHP object in the CacheWarmer cookie.
IFF Assessment
This vulnerability allows remote code execution, posing a significant threat to systems and data.
Severity
The vulnerability allows for remote code execution with no authentication required and has a high impact on confidentiality, integrity, and availability. The attack vector is network-based and exploits a deserialization flaw. Given these factors, a CVSS score of 9.8 (Critical) is estimated.
CISA KEV: Listed as actively exploited. Federal patch due: June 06, 2026. Known ransomware use: Unknown.
Defender Context
This vulnerability in Mirasvit Full Page Cache Warmer presents a critical remote code execution risk. Defenders should prioritize applying vendor-provided mitigations or discontinuing the use of the affected product if patches are unavailable. It is essential to follow CISA's Binding Operational Directive 22-01 for cloud services to ensure proper protection.