Online merchants running Magento 2 with the Mirasvit Full Page Cache Warmer plugin face an urgent patching deadline after government cybersecurity agencies flagged a maximum-severity vulnerability that allows unauthenticated attackers to execute arbitrary code on affected servers. CVE-2026-45247 carries a CVSS v3.1 score of 9.8 and affects all plugin versions before 1.11.12. Singapore’s Cyber Security Agency responded with Alert AL-2026-066, directing store operators to patch or apply mitigations immediately.
A 9.8-severity Magento plugin flaw draws coordinated government response
The vulnerability sits in the way the Mirasvit Full Page Cache Warmer handles session data. An attacker can send a specially crafted CacheWarmer cookie that triggers unauthenticated PHP object injection, which in turn opens a path to remote code execution (RCE) on the underlying server. No login credentials are needed. No user interaction is required. The attack surface is the public-facing storefront itself, meaning any visitor session can be weaponized.
That combination of low attack complexity and maximum impact explains the 9.8 score assigned by the CNA and published in the National Vulnerability Database. A flaw rated this high typically means full compromise of confidentiality, integrity, and availability for the host system. For an e-commerce store, that translates to stolen customer payment data, injected skimming scripts, or complete takeover of the checkout flow.
Singapore’s Cyber Security Agency moved quickly. Its official alert confirmed the affected version range-plugin releases before 1.11.12-and urged operators to apply the vendor patch or implement compensating controls without delay. The speed of the response suggests the agency had access to early technical details, possibly through the same researcher or coordinated disclosure channel that supplied the CNA scoring data to NIST. While no public statement confirms that link, the tight timeline between NVD publication and the Singapore advisory is consistent with a shared private disclosure pipeline rather than independent discovery.
How a cache cookie becomes a full server takeover
Cache-warming plugins are designed to pre-generate static page versions so that shoppers experience faster load times. The Mirasvit Full Page Cache Warmer is one of the more widely installed extensions in the Magento 2 ecosystem, used by merchants looking to reduce server response times during high-traffic periods. That popularity also makes it a high-value target.
The attack chain exploits PHP’s object serialization mechanism. When the plugin reads the CacheWarmer cookie, it deserializes the contents without adequate validation. An attacker who controls the cookie value can inject a malicious PHP object that, once deserialized, executes arbitrary commands on the server. This class of vulnerability, PHP object injection, has been a recurring problem in the Magento ecosystem, but a CVSS 9.8 rating with no authentication requirement puts CVE-2026-45247 at the extreme end of the severity scale.
The practical consequence for store owners is stark. A compromised server can be used to harvest credit card numbers in real time, redirect customers to phishing pages, or install persistent backdoors that survive routine updates. Because the vulnerability exists in a caching layer rather than in Magento’s core code, many merchants may not realize they are exposed. Extensions often fall outside standard patch management workflows, and smaller merchants may not track third-party plugin advisories with the same rigor they apply to core platform updates.
Merchants running any version of the Mirasvit Full Page Cache Warmer below 1.11.12 should treat this as a top-priority fix. The recommended first step is to update the plugin to version 1.11.12 or later. If an immediate update is not possible, disabling the plugin entirely removes the attack surface until the patch can be applied. Store operators should also review server logs for unusual CacheWarmer cookie values, spikes in HTTP 500 errors, or unexpected outbound connections, which could indicate prior exploitation.
Gaps in the public record and what merchants should watch next
Several pieces of the story are still missing from the public record. The original reporting direction referenced CISA adding CVE-2026-45247 to its Known Exploited Vulnerabilities catalog, but no CISA KEV entry or official CISA advisory confirming that addition appears in the primary sources available for this article. The NVD entry and the Singapore CSA alert are the two verified government records. Whether CISA has independently confirmed active exploitation or formally added the flaw to its must-patch list is not yet documented in accessible federal databases.
The claim that attackers have begun hijacking online shops also lacks a published incident report or forensic analysis in the available source material. Security researchers who track Magento-targeted attacks are cited in vulnerability databases, but no specific victim count, campaign timeline, or malware sample has been disclosed publicly in the sources used here. That gap matters because it affects how urgently merchants outside the United States and Singapore need to act. A confirmed mass-exploitation campaign would shift the calculus from “patch soon” to “patch now and audit for compromise.”
In the absence of clear evidence of widespread exploitation, merchants should still assume that proof-of-concept code will emerge quickly, if it has not already. The exploit path is straightforward, relies only on manipulating a cookie, and targets a plugin that is attractive to attackers because it is deployed on revenue-generating sites. History shows that once a Magento extension vulnerability is cataloged with a high CVSS score, automated scanners and botnets typically begin probing for unpatched installations.
Practical steps for Magento store operators
For store owners and hosting providers, the immediate priority is to identify whether the vulnerable plugin is present in any Magento 2 deployment. Inventory all extensions across production, staging, and development environments, paying particular attention to older or custom-modified installations where plugin versions may lag behind.
If the Mirasvit Full Page Cache Warmer is installed and below version 1.11.12, schedule an emergency maintenance window to apply the vendor update. Where change-control processes are strict, document the 9.8 CVSS score and unauthenticated RCE impact to justify an expedited change. For managed hosting customers, press providers for written confirmation that they have patched or disabled the plugin on your behalf.
Alongside patching, implement basic hardening measures. Ensure that web application firewalls are configured to inspect and, where feasible, block suspicious CacheWarmer cookie values. Tighten file permissions on the webroot and configuration directories so that even a partial compromise has limited blast radius. Where possible, isolate the Magento application in its own container or virtual machine, reducing the risk that an exploited plugin can pivot into other systems.
After remediation, conduct a targeted compromise assessment. Review web server and application logs for anomalous requests involving the CacheWarmer cookie, unexpected administrative logins, or changes to payment and checkout templates. Consider rotating API keys and administrative passwords, and validate that no unauthorized users have been added to the Magento backend.
Staying ahead of extension-driven threats
CVE-2026-45247 underscores a broader lesson for e-commerce operators: third-party extensions can quietly expand the attack surface beyond what core platform advisories capture. A mature security program treats plugins and modules as first-class assets, with their own patch cadence, risk assessments, and decommissioning plans.
Merchants in Singapore can leverage national guidance by monitoring the Cyber Security Agency’s advisories and subscribing to updates through the cyber health portal, which aggregates information on emerging threats and recommended mitigations. Operators elsewhere should establish similar habits, tracking vendor advisories, national CERT bulletins, and vulnerability databases for extension-specific issues.
For now, the path forward is clear even if some details remain murky: identify the Mirasvit Full Page Cache Warmer wherever it is deployed, update or disable vulnerable versions, and assume that opportunistic scanning is already underway. Until more concrete incident data emerges, treating CVE-2026-45247 as a critical, internet-facing risk is the most defensible course of action for any Magento 2 store that depends on customer trust and uninterrupted revenue.
More from Morning Overview
*This article was researched with the help of AI, with human editors creating the final content.
