A Cookie That Owns the Server
CVE-2026-45247 documents a PHP object injection vulnerability in Mirasvit's Full Page Cache Warmer extension for Magento 2. The attack requires no authentication, no special access, and no user interaction. An attacker sends a single HTTP request with a crafted cookie. The cookie contains a serialized PHP object that, when deserialized by the cache warmer, executes arbitrary code on the server. CVSS 9.3. CISA added it to the Known Exploited Vulnerabilities catalog. The federal patch deadline was June 6 — ten days ago. Imperva/Thales confirmed active exploitation in the wild.
The vulnerability affects all versions of the Full Page Cache Warmer extension prior to 1.11.12. Magento 2 is one of the most popular enterprise e-commerce platforms, powering payment processing, customer data storage, and order management for mid-to-large retailers. A server compromise via this vulnerability gives attackers access to payment card data, customer PII, and the ability to inject malicious JavaScript into the storefront — the classic Magecart attack pattern that has stolen millions of credit cards from e-commerce sites since 2015.
PHP Deserialization: The Gift That Keeps Giving
PHP object injection via unsafe deserialization is one of the oldest and most reliable attack classes in web security. The vulnerability exists whenever PHP's unserialize() function processes user-controlled input — in this case, a cookie value. The attack is well-understood, well-documented, and has been exploited continuously since at least 2009. Yet it continues to appear in production PHP applications in 2026 because the PHP language does not provide safe deserialization by default. The developer must explicitly choose safe alternatives. The framework must enforce safe patterns. Magento's extension ecosystem does neither consistently.
Modern web frameworks eliminate this class of vulnerability by architectural design. FastAPI uses Pydantic models for data validation — there is no unserialize() equivalent. Next.js processes JSON, not serialized PHP objects. Django's session framework uses JSON serialization by default since Django 1.6 (2013). The vulnerability class that CVE-2026-45247 exploits does not exist in frameworks that were designed after the lessons of PHP deserialization attacks were learned. It persists only in ecosystems that inherited PHP's legacy architecture.
The E-Commerce Security Angle
E-commerce platforms process payment card data, making them high-value targets subject to PCI DSS compliance requirements. PCI DSS 4.0 (mandatory since March 2025) requires continuous monitoring and timely patching. An e-commerce platform running a Magento extension with a CISA KEV-listed vulnerability past its federal deadline is not just a security risk — it is a compliance violation that could result in loss of payment processing privileges.
WebPulse's scan data shows that Magento sites consistently score lower on security metrics than Shopify or Stripe-integrated headless platforms. The reason is architectural: Magento runs PHP on the server, processes cookies with deserialization, and depends on a third-party extension ecosystem that is not systematically audited. Shopify abstracts all of this — the merchant never touches PHP, never processes raw cookies, never installs server-side extensions. The security posture is determined by the platform's architecture, not the merchant's security expertise.
Patch Now
Upgrade Mirasvit Full Page Cache Warmer to version 1.11.12 or later immediately. If you cannot patch, disable the extension entirely. The CISA federal deadline has already passed. Active exploitation is confirmed. The attack requires only a single crafted HTTP request — no authentication, no social engineering, no vulnerability chain. One cookie. Full server compromise. Every day unpatched is a day your e-commerce infrastructure is demonstrably vulnerable to a known, actively exploited attack.
