Description
A flaw has been found in 666ghj MiroFish up to 0.1.2. This affects the function create_app of the file backend/app/__init__.py of the component REST API Endpoint. Executing a manipulation can lead to missing authentication. It is possible to launch the attack remotely. The exploit has been published and may be used. The project was informed of the problem early through an issue report but has not responded yet.
Published: 2026-04-26
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Authentication Bypass
Action: Patch ASAP
AI Analysis

Impact

The vulnerability resides in 666ghj MiroFish version 0.1.2 and earlier, specifically in the create_app function of backend/app/__init__.py. The flaw causes an authentication bypass for the REST API endpoint, enabling attackers to perform manipulation remotely. This allows unauthorized users to access sensitive functionality or data exposed by the API.

Affected Systems

All instances of 666ghj MiroFish up to and including version 0.1.2 are impacted. No specific sub‑components or configuration variations are listed beyond the cited file and version range.

Risk and Exploitability

The CVSS score of 6.9 indicates a moderate to high risk level for successful exploitation. The EPSS score of <1% signals a low probability of exploitation at this time, and the vulnerability is not listed in the CISA Key Exploited Vulnerabilities catalog. The attack vector is remote, and an exploit has already been published, meaning that a threat actor could trigger the authentication bypass from outside the network.

Generated by OpenCVE AI on April 28, 2026 at 05:17 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update to the latest version of 666ghj MiroFish once a patch addressing the authentication check in create_app is released.
  • If an immediate update is not possible, add a mandatory authentication guard around the REST API endpoint to enforce proper credential verification before processing any requests.
  • Configure network perimeter controls or firewall rules to limit traffic to the REST API to trusted IP ranges until the vulnerability is fully resolved.

Generated by OpenCVE AI on April 28, 2026 at 05:17 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 27 Apr 2026 20:15:00 +0000

Type Values Removed Values Added
First Time appeared 666ghj
666ghj mirofish
Vendors & Products 666ghj
666ghj mirofish

Mon, 27 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Sun, 26 Apr 2026 13:30:00 +0000

Type Values Removed Values Added
Description A flaw has been found in 666ghj MiroFish up to 0.1.2. This affects the function create_app of the file backend/app/__init__.py of the component REST API Endpoint. Executing a manipulation can lead to missing authentication. It is possible to launch the attack remotely. The exploit has been published and may be used. The project was informed of the problem early through an issue report but has not responded yet.
Title 666ghj MiroFish REST API Endpoint __init__.py create_app missing authentication
Weaknesses CWE-287
CWE-306
References
Metrics cvssV2_0

{'score': 7.5, 'vector': 'AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 7.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

666ghj Mirofish
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-04-27T13:31:24.707Z

Reserved: 2026-04-25T15:57:10.365Z

Link: CVE-2026-7042

cve-icon Vulnrichment

Updated: 2026-04-27T13:12:57.344Z

cve-icon NVD

Status : Deferred

Published: 2026-04-26T22:17:31.673

Modified: 2026-04-29T01:00:01.613

Link: CVE-2026-7042

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T05:30:23Z

Weaknesses