Mirasvit Vulnerability Exploited to Execute Code on Magento Servers
A flaw in the Full Page Cache Warmer extension can be exploited without authentication via serialized PHP object payloads. The post Mirasvit Vulnerability Exploited to Execute Code on Magento Servers appeared first on SecurityWeek.
The US cybersecurity agency CISA on Wednesday urged federal agencies to immediately patch a critical-severity vulnerability in the Mirasvit Full Page Cache Warmer for Magento 2 extension that has been exploited in the wild for remote code execution (RCE).
Cache Wormer monitors a page’s cache status and automatically adds the latest version of the page to the cache to speed up loading and improve page rankings.
The exploited bug, tracked as CVE-2026-45247 (CVSS score of 9.8), is described as a PHP object injection vulnerability that can be exploited remotely, without authentication, to execute arbitrary code on Magento and Adobe Commerce servers.
Source: https://www.securityweek.com/mirasvit-vulnerability-exploited-to-execute-code-on-magento-servers/
Related breach coverage
- Unpatched ChromaDB Vulnerability Can Lead to Server Takeover2026-05-19
The security defect can be exploited remotely, without authentication, to execute arbitrary code and leak sensitive information. The post Unpatched ChromaDB Vulnerability Can Lead to Server Takeover appeared first on SecurityWeek.
- Everest Forms Vulnerability Exploited to Hack WordPress Sites2026-06-08
The flaw allows attackers to execute arbitrary code remotely and has been exploited in the wild for two months. The post Everest Forms Vulnerability Exploited to Hack WordPress Sites appeared first on SecurityWeek.
- Cisco Warns of Available PoC for Critical Unified CM Vulnerability2026-06-04
The high-severity flaw can be exploited remotely, without authentication, in server-side request forgery (SSRF) attacks. The post Cisco Warns of Available PoC for Critical Unified CM Vulnerability appeared first on SecurityWeek.
- Oracle WebLogic Vulnerability Exploited in the Wild2026-06-02
The vulnerability is CVE-2024-21182 and it can be exploited without authentication to hack affected WebLogic servers. The post Oracle WebLogic Vulnerability Exploited in the Wild appeared first on SecurityWeek.