Overview
- Researchers disclosed the deserialization flaw in late May and security firms soon reported active exploit attempts that deliver base64-encoded serialized PHP objects to trigger remote code execution.
- The bug, tracked as CVE-2026-45247, lets an attacker place a crafted serialized PHP object in the CacheWarmer cookie that is passed to PHP's unsafe unserialize() call, enabling PHP object injection and gadget-chain based RCE.
- Vendor patches for the Mirasvit Full Page Cache Warmer extension were released in late May in version 1.11.12 and all users running versions before 1.11.12 must update to block the exploit.
- CISA added the flaw to its Known Exploited Vulnerabilities catalog on Wednesday, ordering Federal Civilian Executive Branch agencies to apply the fixes by June 6, 2026.
- Security firms published detection tips and scope estimates, noting CacheWarmer cookie values that start with base64 patterns like Tz, Qz or YT are strong indicators of attempts and that roughly 6,000 stores use the vendor’s extensions though true exposure may be higher because CDNs can hide installs.