Skip to main content

MiroFish EUVDEUVD-2026-25729

| CVE-2026-7059 MEDIUM
Path Traversal (CWE-22)
2026-04-26 VulDB
5.5
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

6
PoC Detected
Apr 27, 2026 - 18:50 vuln.today
Public exploit code
CVSS changed
Apr 26, 2026 - 22:22 NVD
5.3 (MEDIUM) 5.5 (MEDIUM)
Analysis Generated
Apr 26, 2026 - 20:30 vuln.today
EUVD ID Assigned
Apr 26, 2026 - 20:15 euvd
EUVD-2026-25729
Analysis Generated
Apr 26, 2026 - 20:15 vuln.today
CVE Published
Apr 26, 2026 - 20:00 nvd
MEDIUM 5.5

DescriptionCVE.org

A vulnerability was found in 666ghj MiroFish up to 0.1.2. This affects the function get_simulation_posts of the file backend/app/api/simulation.py of the component Query Parameter Handler. Performing a manipulation of the argument Platform results in path traversal. The attack can be initiated remotely. The exploit has been made public and could be used.

AnalysisAI

Path traversal in MiroFish up to version 0.1.2 allows remote unauthenticated attackers to read arbitrary files via manipulation of the Platform query parameter in the get_simulation_posts function. The vulnerability affects the backend simulation API endpoint and has publicly available exploit code, though exploitation is limited to information disclosure rather than modification or availability impact.

Technical ContextAI

MiroFish is a backend application containing an API endpoint (backend/app/api/simulation.py) that processes query parameters without proper path normalization. The get_simulation_posts function fails to validate or sanitize the Platform parameter, which is likely used in file path construction or directory traversal operations. This is a classic path traversal vulnerability (CWE-22) where an attacker can use directory traversal sequences (such as ../ or absolute paths) to access files outside the intended directory. The CVSS vector indicates network-accessible exploitation with no authentication required and low attack complexity, typical of query parameter injection attacks.

RemediationAI

Immediate remediation requires upgrading MiroFish to a version newer than 0.1.2 if available from the vendor (https://github.com/666ghj/MiroFish/). If no patched version is currently available, the application should be taken offline or the vulnerable /simulation endpoint restricted to trusted networks only via firewall rules or API gateway controls. As a temporary workaround, implement input validation on the Platform query parameter to reject any value containing path traversal sequences such as ../, ..\ or absolute paths beginning with / or drive letters (e.g., C:), and restrict the application's filesystem permissions so the Python process runs with minimal file access rights. Additionally, review logs via VulDB (https://vuldb.com/vuln/359632) and GitHub issues (https://github.com/666ghj/MiroFish/issues/489) to determine if vendor fixes or patches are available.

Share

EUVD-2026-25729 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy