CVE-2026-7041 - Vulnerability Details

- 666ghj MiroFish Werkzeug Debugger PIN console information disclosure

Description

A vulnerability was detected in 666ghj MiroFish up to 0.1.2. The impacted element is an unknown function of the file /console of the component Werkzeug Debugger PIN Handler. Performing a manipulation of the argument SECRET results in information disclosure. It is possible to initiate the attack remotely. The attack is considered to have high complexity. The exploitability is regarded as difficult. The exploit is now public and may be used. The project was informed of the problem early through an issue report but has not responded yet.

Published: 2026-04-26

Score: 6.3 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability resides in the Werkzeug Debugger PIN Handler component of 666ghj MiroFish. By manipulating the SECRET argument of the /console endpoint, an attacker can cause the application to disclose console information. This leads to a confidentiality breach, allowing the remote extraction of potentially sensitive internal data. The weakness is documented as CWE‑200 (Information Exposure) and CWE‑284 (Improper Authorization).

Affected Systems

Vendors and products affected are 666ghj and MiroFish, with vulnerable releases through version 0.1.2. The issue is tied to the /console endpoint of the Werkzeug Debugger PIN Handler. No other vendors or product versions are listed as impacted.

Risk and Exploitability

The CVSS score of 6.3 indicates moderate‑to‑high severity, while the EPSS score of less than 1% shows a low probability of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog. The attack vector is remote via manipulation of the SECRET argument, requires high complexity, and is considered difficult to exploit, though a public exploit exists. Overall, the risk is moderate but warrants attention.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

666ghj

MiroFish

affected

Version	Status	Constraints
`0.1.0`	affected	—
`0.1.1`	affected	—
`0.1.2`	affected	—

No data.

Vendor Product Confidence Versions

666ghj

Mirofish

100%

Version	Status	Scheme	Platform
`0.1.0`	affected	semver	—
`0.1.1`	affected	semver	—
`0.1.2`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Restrict or disable public access to the Werkzeug Debugger PIN Handler by blocking the /console endpoint or moving it behind an authentication gate
Enforce strict authentication and input validation on the SECRET parameter to prevent unauthorized disclosure
Monitor the 666ghj MiroFish project’s GitHub repository and the vulnerability reporting site for an official patch, and apply the patch promptly when released

Generated by OpenCVE AI on April 28, 2026 at 05:18 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Attack Vector Network

Attack Complexity High

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact None

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

Access Vector Network

Access Complexity High

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

This CVE is not in the KEV list.

The EPSS score is 0.00014.

Exploitation poc

Automatable no

Technical Impact partial

References

Link	Providers
https://github.com/666ghj/MiroFish/
https://github.com/666ghj/MiroFish/issues/483
https://vuldb.com/submit/798526
https://vuldb.com/vuln/359620
https://vuldb.com/vuln/359620/cti

History

Mon, 27 Apr 2026 20:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		666ghj 666ghj mirofish
Vendors & Products		666ghj 666ghj mirofish

Mon, 27 Apr 2026 14:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Sun, 26 Apr 2026 13:00:00 +0000

Type	Values Removed	Values Added
Description		A vulnerability was detected in 666ghj MiroFish up to 0.1.2. The impacted element is an unknown function of the file /console of the component Werkzeug Debugger PIN Handler. Performing a manipulation of the argument SECRET results in information disclosure. It is possible to initiate the attack remotely. The attack is considered to have high complexity. The exploitability is regarded as difficult. The exploit is now public and may be used. The project was informed of the problem early through an issue report but has not responded yet.
Title		666ghj MiroFish Werkzeug Debugger PIN console information disclosure
Weaknesses		CWE-200 CWE-284
References		https://github.com/666ghj/MiroFish/ https://github.com/666ghj/MiroFish/issues/483 https://vuldb.com/submit/798526 https://vuldb.com/vuln/359620 https://vuldb.com/vuln/359620/cti
Metrics		cvssV2_0 `{'score': 2.6, 'vector': 'AV:N/AC:H/Au:N/C:P/I:N/A:N/E:POC/RL:W/RC:UR'}` cvssV3_0 `{'score': 3.7, 'vector': 'CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:W/RC:R'}` cvssV3_1 `{'score': 3.7, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:W/RC:R'}` cvssV4_0 `{'score': 6.3, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P'}`

Subscriptions

666ghj Mirofish

MITRE

Status: PUBLISHED

Assigner: VulDB

Published: 2026-04-26T12:45:12.357Z

Updated: 2026-04-27T13:10:03.077Z

Reserved: 2026-04-25T15:54:19.855Z

Link: CVE-2026-7041

Vulnrichment

Updated: 2026-04-27T13:09:58.455Z

NVD

Status : Deferred

Published: 2026-04-26T13:16:01.813

Modified: 2026-04-29T01:00:01.613

Link: CVE-2026-7041

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-28T05:30:23Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity High

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact None

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

Access Vector Network

Access Complexity High

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

Exploitation poc

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object