Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
8DescriptionCVE.org
A vulnerability has been found in 666ghj MiroFish up to 0.1.2. The impacted element is the function SimulationIPCClient.send_command of the file backend/app/services/simulation_ipc.py of the component Inter-Process Communication. Such manipulation leads to command injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The project was informed of the problem early through an issue report but has not responded yet.
AnalysisAI
Remote command injection in MiroFish versions up to 0.1.2 allows unauthenticated attackers to execute arbitrary system commands through the SimulationIPCClient.send_command function in the inter-process communication module. The vulnerability is actively exploitable via network access with low complexity, requiring no user interaction or authentication. A public proof-of-concept exploit has been disclosed (GitHub issue #488), and EPSS data shows moderate exploitation probability. The vendor (666ghj) has been notified via issue report but has not responded or released a patch, leaving all MiroFish installations vulnerable to remote compromise.
Technical ContextAI
This vulnerability affects the backend/app/services/simulation_ipc.py file in MiroFish, specifically the SimulationIPCClient.send_command function used for inter-process communication (IPC). The root cause is CWE-77 (Improper Neutralization of Special Elements used in a Command), commonly known as OS command injection. The affected component fails to properly sanitize user-supplied input before passing it to system command execution functions, allowing attackers to inject shell metacharacters or command separators. MiroFish appears to be a simulation or monitoring application that uses IPC for backend communication between processes. The vulnerable function likely accepts parameters from network requests and forwards them to system commands without validation, creating a direct pathway from network input to shell execution. The CPE identifier cpe:2.3:a:666ghj:mirofish confirms the vendor and product namespace.
RemediationAI
No vendor-released patch exists at time of analysis - the project maintainer (666ghj) has not responded to the vulnerability disclosure submitted via GitHub issue #488 (https://github.com/666ghj/MiroFish/issues/488). Organizations must implement immediate compensating controls: (1) Remove all internet-facing exposure to MiroFish services by blocking external network access to affected ports/endpoints at firewall level - this prevents remote exploitation but eliminates legitimate remote access. (2) Implement strict network segmentation to isolate MiroFish instances on trusted internal networks with IP allowlisting for authorized clients only - reduces attack surface to insider threats and lateral movement scenarios. (3) Deploy web application firewall (WAF) or reverse proxy with command injection signature detection ahead of MiroFish endpoints, specifically filtering shell metacharacters (semicolons, pipes, backticks, dollar signs) in requests to simulation_ipc endpoints - may cause false positives if legitimate commands use these characters. (4) Monitor MiroFish process execution using EDR/auditd for unexpected child processes spawned from the Python backend, alerting on shell invocations (bash, sh, cmd.exe). (5) Consider migrating to alternative solutions or forking the project to apply input validation patches manually to SimulationIPCClient.send_command. Given vendor abandonment risk, long-term use of MiroFish poses unacceptable security debt.
Missing authentication in MiroFish REST API allows remote attackers to bypass security controls and access protected end
Path traversal in MiroFish up to version 0.1.2 allows remote unauthenticated attackers to read arbitrary files via manip
Information disclosure in MiroFish up to version 0.1.2 allows remote attackers to leak sensitive data through manipulati
Same weakness CWE-77 – Command Injection
View allSame technique Command Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-25728