Skip to main content

Mirofish

4 CVEs product

Monthly

CVE-2026-7059 MEDIUM POC This Month

Path traversal in MiroFish up to version 0.1.2 allows remote unauthenticated attackers to read arbitrary files via manipulation of the Platform query parameter in the get_simulation_posts function. The vulnerability affects the backend simulation API endpoint and has publicly available exploit code, though exploitation is limited to information disclosure rather than modification or availability impact.

Path Traversal Mirofish
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-7058 MEDIUM POC This Month

Remote command injection in MiroFish versions up to 0.1.2 allows unauthenticated attackers to execute arbitrary system commands through the SimulationIPCClient.send_command function in the inter-process communication module. The vulnerability is actively exploitable via network access with low complexity, requiring no user interaction or authentication. A public proof-of-concept exploit has been disclosed (GitHub issue #488), and EPSS data shows moderate exploitation probability. The vendor (666ghj) has been notified via issue report but has not responded or released a patch, leaving all MiroFish installations vulnerable to remote compromise.

Command Injection Mirofish
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
1.0%
CVE-2026-7042 MEDIUM POC This Month

Missing authentication in MiroFish REST API allows remote attackers to bypass security controls and access protected endpoints without credentials. The vulnerability affects MiroFish versions up to 0.1.2 in the create_app function within backend/app/__init__.py. A publicly available exploit demonstrates the attack (GitHub issue #487), and the vulnerability is trivially exploitable with CVSS complexity rated Low and no authentication required (CVSS:3.1/AV:N/AC:L/PR:N/UI:N). The vendor has not responded to responsible disclosure attempts, leaving users without an official patch. With CVSS 7.3 (High) and confirmed public POC, this represents an immediate risk to deployments exposing the REST API to untrusted networks.

Authentication Bypass Mirofish
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.1%
CVE-2026-7041 LOW POC Monitor

Information disclosure in MiroFish up to version 0.1.2 allows remote attackers to leak sensitive data through manipulation of the SECRET argument in the Werkzeug Debugger PIN Handler at the /console endpoint. The vulnerability requires high attack complexity and has a low CVSS score (3.7) indicating limited confidentiality impact, but publicly available exploit code exists and the vendor has not responded to early notification.

Information Disclosure Mirofish
NVD VulDB GitHub
CVSS 4.0
2.9
EPSS
0.0%
EPSS 0% CVSS 5.5
MEDIUM POC This Month

Path traversal in MiroFish up to version 0.1.2 allows remote unauthenticated attackers to read arbitrary files via manipulation of the Platform query parameter in the get_simulation_posts function. The vulnerability affects the backend simulation API endpoint and has publicly available exploit code, though exploitation is limited to information disclosure rather than modification or availability impact.

Path Traversal Mirofish
NVD VulDB GitHub
EPSS 1% CVSS 5.5
MEDIUM POC This Month

Remote command injection in MiroFish versions up to 0.1.2 allows unauthenticated attackers to execute arbitrary system commands through the SimulationIPCClient.send_command function in the inter-process communication module. The vulnerability is actively exploitable via network access with low complexity, requiring no user interaction or authentication. A public proof-of-concept exploit has been disclosed (GitHub issue #488), and EPSS data shows moderate exploitation probability. The vendor (666ghj) has been notified via issue report but has not responded or released a patch, leaving all MiroFish installations vulnerable to remote compromise.

Command Injection Mirofish
NVD VulDB GitHub
EPSS 0% CVSS 5.5
MEDIUM POC This Month

Missing authentication in MiroFish REST API allows remote attackers to bypass security controls and access protected endpoints without credentials. The vulnerability affects MiroFish versions up to 0.1.2 in the create_app function within backend/app/__init__.py. A publicly available exploit demonstrates the attack (GitHub issue #487), and the vulnerability is trivially exploitable with CVSS complexity rated Low and no authentication required (CVSS:3.1/AV:N/AC:L/PR:N/UI:N). The vendor has not responded to responsible disclosure attempts, leaving users without an official patch. With CVSS 7.3 (High) and confirmed public POC, this represents an immediate risk to deployments exposing the REST API to untrusted networks.

Authentication Bypass Mirofish
NVD VulDB GitHub
EPSS 0% CVSS 2.9
LOW POC Monitor

Information disclosure in MiroFish up to version 0.1.2 allows remote attackers to leak sensitive data through manipulation of the SECRET argument in the Werkzeug Debugger PIN Handler at the /console endpoint. The vulnerability requires high attack complexity and has a low CVSS score (3.7) indicating limited confidentiality impact, but publicly available exploit code exists and the vendor has not responded to early notification.

Information Disclosure Mirofish
NVD VulDB GitHub

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy