Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
6DescriptionCVE.org
A vulnerability was found in 666ghj MiroFish up to 0.1.2. This affects the function get_simulation_posts of the file backend/app/api/simulation.py of the component Query Parameter Handler. Performing a manipulation of the argument Platform results in path traversal. The attack can be initiated remotely. The exploit has been made public and could be used.
AnalysisAI
Path traversal in MiroFish up to version 0.1.2 allows remote unauthenticated attackers to read arbitrary files via manipulation of the Platform query parameter in the get_simulation_posts function. The vulnerability affects the backend simulation API endpoint and has publicly available exploit code, though exploitation is limited to information disclosure rather than modification or availability impact.
Technical ContextAI
MiroFish is a backend application containing an API endpoint (backend/app/api/simulation.py) that processes query parameters without proper path normalization. The get_simulation_posts function fails to validate or sanitize the Platform parameter, which is likely used in file path construction or directory traversal operations. This is a classic path traversal vulnerability (CWE-22) where an attacker can use directory traversal sequences (such as ../ or absolute paths) to access files outside the intended directory. The CVSS vector indicates network-accessible exploitation with no authentication required and low attack complexity, typical of query parameter injection attacks.
RemediationAI
Immediate remediation requires upgrading MiroFish to a version newer than 0.1.2 if available from the vendor (https://github.com/666ghj/MiroFish/). If no patched version is currently available, the application should be taken offline or the vulnerable /simulation endpoint restricted to trusted networks only via firewall rules or API gateway controls. As a temporary workaround, implement input validation on the Platform query parameter to reject any value containing path traversal sequences such as ../, ..\ or absolute paths beginning with / or drive letters (e.g., C:), and restrict the application's filesystem permissions so the Python process runs with minimal file access rights. Additionally, review logs via VulDB (https://vuldb.com/vuln/359632) and GitHub issues (https://github.com/666ghj/MiroFish/issues/489) to determine if vendor fixes or patches are available.
Remote command injection in MiroFish versions up to 0.1.2 allows unauthenticated attackers to execute arbitrary system c
Missing authentication in MiroFish REST API allows remote attackers to bypass security controls and access protected end
Information disclosure in MiroFish up to version 0.1.2 allows remote attackers to leak sensitive data through manipulati
Same weakness CWE-22 – Path Traversal
View allSame technique Path Traversal
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-25729