Mirasvit Vulnerability Exploited to Execute Code on Magento Servers

A flaw in the Full Page Cache Warmer extension can be exploited without authentication via serialized PHP object payloads. The post Mirasvit Vulnerability Exploited to Execute Code on Magento Servers appeared first on SecurityWeek .

SecurityWeek reports a critical vulnerability (CVE-2026-45247) in the Mirasvit Full Page Cache Warmer extension for Magento 2, where unsafe deserialization of attacker-controlled serialized PHP objects in a CacheWarmer cookie allows unauthenticated remote code execution on Magento and Adobe Commerce servers.[1][3][9] The flaw, rated critical (CVSS≈9.8), affects versions prior to 1.11.12 and is being actively exploited in the wild, leading vendors and CISA to urge immediate patching.[1][3][7] From a CyberSE.AI perspective, this illustrates the broader AI supply chain risk pattern: third-party plugins, SDKs, or infrastructure components used by AI-enabled commerce platforms can introduce critical RCE paths that bypass core application controls, so organizations need SBOM-driven dependency tracking, continuous vulnerability monitoring, and hardening guidance for all extensions surrounding AI-powered storefronts and agents. Applying similar supply-chain controls to AI stacks (libraries, model-serving plugins, observability agents, and orchestration extensions) is essential to prevent an attacker from pivoting through non-AI components to compromise AI services and data.