Skip to main content

MiroFish CVE-2026-7058

| EUVDEUVD-2026-25728 MEDIUM
Command Injection (CWE-77)
2026-04-26 VulDB
5.5
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

8
CVSS changed
Apr 29, 2026 - 01:12 NVD
6.9 (MEDIUM) 5.5 (MEDIUM)
PoC Detected
Apr 29, 2026 - 01:00 vuln.today
Public exploit code
Severity Changed
Apr 26, 2026 - 22:22 NVD
HIGH MEDIUM
CVSS changed
Apr 26, 2026 - 22:22 NVD
7.3 (HIGH) 6.9 (MEDIUM)
Analysis Generated
Apr 26, 2026 - 20:15 vuln.today
EUVD ID Assigned
Apr 26, 2026 - 20:00 euvd
EUVD-2026-25728
Analysis Generated
Apr 26, 2026 - 20:00 vuln.today
CVE Published
Apr 26, 2026 - 19:45 nvd
MEDIUM 5.5

DescriptionCVE.org

A vulnerability has been found in 666ghj MiroFish up to 0.1.2. The impacted element is the function SimulationIPCClient.send_command of the file backend/app/services/simulation_ipc.py of the component Inter-Process Communication. Such manipulation leads to command injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The project was informed of the problem early through an issue report but has not responded yet.

AnalysisAI

Remote command injection in MiroFish versions up to 0.1.2 allows unauthenticated attackers to execute arbitrary system commands through the SimulationIPCClient.send_command function in the inter-process communication module. The vulnerability is actively exploitable via network access with low complexity, requiring no user interaction or authentication. A public proof-of-concept exploit has been disclosed (GitHub issue #488), and EPSS data shows moderate exploitation probability. The vendor (666ghj) has been notified via issue report but has not responded or released a patch, leaving all MiroFish installations vulnerable to remote compromise.

Technical ContextAI

This vulnerability affects the backend/app/services/simulation_ipc.py file in MiroFish, specifically the SimulationIPCClient.send_command function used for inter-process communication (IPC). The root cause is CWE-77 (Improper Neutralization of Special Elements used in a Command), commonly known as OS command injection. The affected component fails to properly sanitize user-supplied input before passing it to system command execution functions, allowing attackers to inject shell metacharacters or command separators. MiroFish appears to be a simulation or monitoring application that uses IPC for backend communication between processes. The vulnerable function likely accepts parameters from network requests and forwards them to system commands without validation, creating a direct pathway from network input to shell execution. The CPE identifier cpe:2.3:a:666ghj:mirofish confirms the vendor and product namespace.

RemediationAI

No vendor-released patch exists at time of analysis - the project maintainer (666ghj) has not responded to the vulnerability disclosure submitted via GitHub issue #488 (https://github.com/666ghj/MiroFish/issues/488). Organizations must implement immediate compensating controls: (1) Remove all internet-facing exposure to MiroFish services by blocking external network access to affected ports/endpoints at firewall level - this prevents remote exploitation but eliminates legitimate remote access. (2) Implement strict network segmentation to isolate MiroFish instances on trusted internal networks with IP allowlisting for authorized clients only - reduces attack surface to insider threats and lateral movement scenarios. (3) Deploy web application firewall (WAF) or reverse proxy with command injection signature detection ahead of MiroFish endpoints, specifically filtering shell metacharacters (semicolons, pipes, backticks, dollar signs) in requests to simulation_ipc endpoints - may cause false positives if legitimate commands use these characters. (4) Monitor MiroFish process execution using EDR/auditd for unexpected child processes spawned from the Python backend, alerting on shell invocations (bash, sh, cmd.exe). (5) Consider migrating to alternative solutions or forking the project to apply input validation patches manually to SimulationIPCClient.send_command. Given vendor abandonment risk, long-term use of MiroFish poses unacceptable security debt.

Share

CVE-2026-7058 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy