Part of Lyceum Intelligence — deep-research In Focus reports → · Lyceum Corpus — ask the documents →

Full-text search across 381 articles. Typo-tolerant.

Lyceum News Desk ·

[KEV] CVE-2026-45247 -- CVSS 0.0 Vulnerability Briefing

[KEV] CVE-2026-45247 | CVSS 0.0 (Low) | Exploit: Operational

What Is It

CVE-2026-45247 is a deserialization of untrusted data vulnerability in Mirasvit's Full Page Cache Warmer extension for Magento/Adobe Commerce, affecting unauthenticated HTTP request handling via a crafted cookie value.

Technical Detail

The vulnerability exists because the Mirasvit Full Page Cache Warmer extension deserializes PHP object data supplied in the CacheWarmer cookie without adequate validation or sanitization. An unauthenticated remote attacker can craft a malicious serialized PHP object and submit it in that cookie, triggering the deserialization routine and potentially achieving arbitrary code execution on the underlying server. Successful exploitation grants the attacker full control of the web application environment, including access to the database, customer data, and server filesystem.

Exploitation Status

CISA has confirmed active exploitation in the wild, adding this CVE to the Known Exploited Vulnerabilities catalog on June 3, 2026. The exploit maturity is rated Operational, meaning functional exploit code capable of reliable exploitation exists and is being used in real-world attacks, not merely as a proof of concept. Organizations running the affected extension should treat this as an immediate priority regardless of perceived exposure.

Who Is Targeting This

No confirmed, ATTAX-verified threat actor attribution is available at this time. Reported attribution carries medium confidence with no public actor name, origin, or stated motivation identified in current research. The absence of attribution does not reduce risk given confirmed active exploitation; opportunistic actors targeting Magento-based e-commerce infrastructure are a plausible but unverified hypothesis.

What To Do

Per CISA's Known Exploited Vulnerabilities binding directive (BOD 22-01), federal civilian executive branch agencies are required to apply patches or mitigations by the deadline associated with the June 3, 2026 KEV listing. All organizations should prioritize patching the Mirasvit Full Page Cache Warmer extension to the latest available version immediately. If a patch is not yet available or cannot be applied immediately, consider disabling the extension entirely until remediation is possible. As a detection measure, monitor web server logs for anomalous or oversized CacheWarmer cookie values, unexpected PHP process spawning from the web server user, and outbound connections initiated by the web server process. Conduct a review of server integrity and database contents if the extension has been exposed to untrusted traffic since before June 3, 2026.

In Focus
All analysis →

Deep-research intelligence reports from Lyceum Intelligence — structured assessments with sourced claims and calibrated conclusions.

Browse Intelligence Reports →