What is GHSA-rg8p-9rpg-r32p?

GHSA-rg8p-9rpg-r32p is a security advisory published by GitHub Security Advisories with Critical severity. Mirasvit Full Page Cache Warmer for Magento 2 before version 1.11.12 contains a PHP object...

Which CVE IDs does GHSA-rg8p-9rpg-r32p cover?

GHSA-rg8p-9rpg-r32p covers the following CVE IDs: CVE-2026-45247. Each CVE has its own detail page on EchelonGraph Pulse with the synthesized EG score.

What is the CVSS v3 score of GHSA-rg8p-9rpg-r32p?

GHSA-rg8p-9rpg-r32p has a CVSS v3 base score of 9.8, published by GitHub Security Advisories.

GHSA-rg8p-9rpg-r32pCriticalCVSS 9.8

Mirasvit Full Page Cache Warmer for Magento 2 before version 1.11.12 contains a PHP object...

Vendor

GitHub Security Advisories

Published

May 26, 2026

Last Modified

May 26, 2026

🔗 CVE IDs covered (1)

CVE-2026-45247 →

📋 Description

Mirasvit Full Page Cache Warmer for Magento 2 before version 1.11.12 contains a PHP object injection vulnerability that allows unauthenticated attackers to achieve remote code execution by supplying a crafted serialized PHP object in the CacheWarmer cookie. Attackers can exploit the unrestricted call to PHP's native unserialize() function combined with gadget chains available in Magento and its dependencies to execute arbitrary code on the server.

🔗 References (5)

https://nvd.nist.gov/vuln/detail/CVE-2026-45247
https://mirasvit.com/package/changelog/?package=mirasvit/module-cache-warmer
https://sansec.io/research/mirasvit-cache-warmer-object-injection
https://www.vulncheck.com/advisories/mirasvit-cache-warmer-for-magento-php-object-injection
https://github.com/advisories/GHSA-rg8p-9rpg-r32p