CVE-2026-7059 - Vulnerability Details

- 666ghj MiroFish Query Parameter simulation.py get_simulation_posts path traversal

Description

A vulnerability was found in 666ghj MiroFish up to 0.1.2. This affects the function get_simulation_posts of the file backend/app/api/simulation.py of the component Query Parameter Handler. Performing a manipulation of the argument Platform results in path traversal. The attack can be initiated remotely. The exploit has been made public and could be used.

Published: 2026-04-26

Score: 6.9 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability originates from how the get_simulation_posts function handles the Platform query parameter in MiroFish’s Query Parameter Handler. An attacker can supply a crafted Platform value containing directory traversal sequences, causing the application to resolve a path outside the intended base directory. This flaw permits unauthorized reading or modification of files whose location is beyond the protected data directory, thereby compromising the confidentiality and integrity of system files. The weakness is a classic example of CWE‑22, in which path resolution is not properly validated.

Affected Systems

This issue affects the 666ghj MiroFish application, versions up to and including 0.1.2. There is no evidence that versions beyond 0.1.2 contain the fix. System administrators should confirm the deployed version against the vendor’s release notes to determine if the vulnerability is present.

Risk and Exploitability

The CVSS score of 6.9 indicates moderate severity. The EPSS score of less than 1% suggests that exploitation is unlikely at present. The vulnerability is not listed in the CISA KEV catalog. The description states that the exploitation can be performed remotely by sending a crafted HTTP request to the /simulation endpoint with a malicious Platform parameter, which will trigger arbitrary file access without authentication.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

666ghj

MiroFish

affected

Version	Status	Constraints
`0.1.0`	affected	—
`0.1.1`	affected	—
`0.1.2`	affected	—

No data.

Vendor Product Confidence Versions

666ghj

Mirofish

100%

Version	Status	Scheme	Platform
`0.1.0`	affected	semver	—
`0.1.1`	affected	semver	—
`0.1.2`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade MiroFish to 0.1.3 or later when the patch is available.
If an immediate update is not possible, sanitize the Platform query parameter to allow only whitelisted values or enforce strict directory boundaries before file access.
Configure the web server or application environment to restrict the process’s file system permissions so that even if a path traversal occurs, it cannot access sensitive areas outside the designated content directory.

Generated by OpenCVE AI on April 28, 2026 at 13:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact None

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

This CVE is not in the KEV list.

The EPSS score is 0.00057.

Exploitation poc

Automatable yes

Technical Impact partial

References

Link	Providers
https://github.com/666ghj/MiroFish/
https://github.com/666ghj/MiroFish/issues/489
https://vuldb.com/submit/798605
https://vuldb.com/vuln/359632
https://vuldb.com/vuln/359632/cti

History

Mon, 27 Apr 2026 20:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		666ghj 666ghj mirofish
Vendors & Products		666ghj 666ghj mirofish

Mon, 27 Apr 2026 14:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Sun, 26 Apr 2026 20:15:00 +0000

Type	Values Removed	Values Added
Description		A vulnerability was found in 666ghj MiroFish up to 0.1.2. This affects the function get_simulation_posts of the file backend/app/api/simulation.py of the component Query Parameter Handler. Performing a manipulation of the argument Platform results in path traversal. The attack can be initiated remotely. The exploit has been made public and could be used.
Title		666ghj MiroFish Query Parameter simulation.py get_simulation_posts path traversal
Weaknesses		CWE-22
References		https://github.com/666ghj/MiroFish/ https://github.com/666ghj/MiroFish/issues/489 https://vuldb.com/submit/798605 https://vuldb.com/vuln/359632 https://vuldb.com/vuln/359632/cti
Metrics		cvssV2_0 `{'score': 5, 'vector': 'AV:N/AC:L/Au:N/C:P/I:N/A:N/E:POC/RL:ND/RC:UR'}` cvssV3_0 `{'score': 5.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R'}` cvssV3_1 `{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R'}` cvssV4_0 `{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P'}`

Subscriptions

666ghj Mirofish

MITRE

Status: PUBLISHED

Assigner: VulDB

Published: 2026-04-26T20:00:16.618Z

Updated: 2026-04-27T13:30:46.709Z

Reserved: 2026-04-26T01:08:46.182Z

Link: CVE-2026-7059

Vulnrichment

Updated: 2026-04-27T13:12:59.400Z

NVD

Status : Deferred

Published: 2026-04-26T22:17:33.423

Modified: 2026-04-27T18:50:06.087

Link: CVE-2026-7059

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-28T13:30:32Z

Weaknesses

CWE-22

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact None

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

Exploitation poc

Automatable yes

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object