CVE-2026-45247: Mirasvit Magento RCE, Patch Now
CVE-2026-45247 Mirasvit Magento RCE via PHP deserialization in the Cache Warmer extension. CVSS 9.8. Active exploitation confirmed. Patch to 1.11.12.
Php
2 articles tagged #php
Articles tagged Php
Twig sandbox bypassed via a single quote in template name
CVE-2026-46633 in Twig lets a single quote in a template name inject arbitrary PHP into the cache file. Twig sandbox does not block it. Fixed in Twig 3.26.0.