CISA is urging federal agencies to patch a critical vulnerability in the Mirasvit Full Page Cache Warmer extension for Magento 2 within three days. The flaw, CVE-2026-45247, carries a near-perfect CVSS score of 9.8 and requires no authentication to exploit.
Attackers inject malicious PHP objects through the CacheWarmer cookie, which escalates to full remote code execution on Magento and Adobe Commerce servers. Imperva reports active exploitation began shortly after public disclosure on May 26. Thousands of stores are at risk — any running a version before 1.11.12 should update immediately.
Source: SecurityWeek