On June 3, 2026 the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added a new flaw to its Known Exploited Vulnerabilities catalog — and if you sell online with Magento or Adobe Commerce, it deserves your attention today. The bug, tracked as CVE-2026-45247, carries a CVSS score of 9.8 and lets an unauthenticated attacker run arbitrary code on your store’s server. Security vendors are already seeing it exploited in the wild, and federal agencies were ordered to patch by June 6. For American retailers heading into the back half of the year, this is the kind of quiet, plumbing-level risk that can take a storefront offline or leak customer data without warning.
A 9.8 flaw that is already being exploited
CVE-2026-45247 lives in the Mirasvit Full Page Cache Warmer, a widely used performance extension that speeds up Magento storefronts by pre-loading cached pages. The Dutch security firm Sansec, which first detailed the issue, estimates roughly 6,000 stores run Mirasvit extensions — and the true number is likely higher because content delivery networks like Cloudflare hide many installs. Imperva has since reported active attacks: malicious HTTP requests carrying base64-encoded payloads that attempt to invoke functions such as system() to execute commands on the server. The early activity has concentrated on gaming and business sites, with the United States among the most targeted countries.
The vendor released a fix on May 25, 2026. Every version of the extension before 1.11.12 is affected. Because exploitation requires no login and no admin privileges, the window between “public exploit” and “your store is compromised” is measured in days, not months.
Why a “cache” extension became the front door
The technical root cause is a classic and dangerous pattern: deserialization of untrusted data, formally CWE-502. The extension reads a cookie named CacheWarmer and passes part of its value straight into PHP’s native unserialize() function. Because that cookie comes from the visitor’s browser, an attacker fully controls the objects PHP rebuilds in memory. By combining that control with a “gadget chain” — ordinary classes that Magento and its dependencies already ship — object injection escalates into full remote code execution.
This is why third-party extensions matter so much in commerce platforms. Your core Magento install may be fully patched, but a single add-on that trusts client input can hand attackers the keys. Sansec notes a useful detection tell: serialized PHP objects base64-encode to values starting with Tz, Qz, or YT, so a CacheWarmer cookie whose value matches the pattern CacheWarmer:(Tz|Qz|YT) is a strong sign someone is probing your store.
What it means for US ecommerce businesses
For a US merchant, a remote-code-execution flaw is not just an IT ticket — it is a business and compliance event. An attacker with code execution on your storefront can skim payment-card data at checkout, plant a persistent backdoor, exfiltrate customer records, or redirect orders. That triggers very real US obligations: PCI DSS 4.0.1 requirements around script and integrity monitoring on payment pages, state breach-notification laws in all 50 states, and potential Federal Trade Commission scrutiny of how you secured consumer data.
The practical takeaways are concrete:
- Inventory every third-party extension on your Magento or Adobe Commerce store, not just the core platform — you cannot patch what you have not catalogued.
- Update the Mirasvit Cache Warmer to version 1.11.12 or later right now if you run it.
- Add an edge or web-application-firewall rule to strip or block suspicious CacheWarmer cookies while you patch.
- Search your access logs for the CacheWarmer:(Tz|Qz|YT) marker to confirm whether you have already been probed.
- Treat the same deserialization risk as a category, not a one-off — other plugins can carry the identical flaw.
How Vadimages helps
Vadimages builds and hardens the web and mobile software that runs storefronts, so incidents like this are squarely in our lane. We start by auditing your storefront codebase and its extension dependencies, mapping every add-on and version so risky components like a vulnerable cache plugin surface before attackers find them. From there we build a patching and release pipeline — staging environment, automated dependency checks, and a clean deploy path — so a critical fix can ship in hours instead of weeks.
For stores that have outgrown a fragile theme-and-plugin stack, we design and develop modern headless commerce front ends and custom checkout flows where the storefront UI is decoupled from the commerce backend, shrinking the attack surface and giving you control over exactly what runs in the browser. We add input-validation and integrity-monitoring layers to checkout and account pages, build admin dashboards that flag anomalous requests, and integrate your store cleanly with payment, tax, and fulfillment APIs through a maintained integration layer rather than ad-hoc plugins. If you want eyes on the store beyond the desk, we build companion mobile apps and alerting so your team sees order and security signals in real time. Everything we ship is web and mobile software we write and maintain — not hardware or managed infrastructure.
Bottom line
CVE-2026-45247 is a reminder that for ecommerce, security lives in the details of your stack — especially the third-party extensions you rarely think about. The immediate move is simple: patch Mirasvit Cache Warmer and block the malicious cookie. The lasting move is structural: a storefront built and maintained so the next critical flaw is found, patched, and deployed before it becomes a breach. That is the kind of resilient web and mobile commerce software Vadimages exists to build.
This article is general information about a publicly disclosed vulnerability, not security-incident or legal advice; consult qualified professionals for your specific environment.