CVE-2026-7059
Path Traversal in 666ghj MiroFish Query Parameter Handler
Publication date: 2026-04-26
Last updated on: 2026-04-26
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| 666ghj | mirofish | to 0.1.2 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-22 | The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the 666ghj MiroFish software up to version 0.1.2, specifically in the function get_simulation_posts within the backend/app/api/simulation.py file. It involves the Query Parameter Handler component. An attacker can manipulate the argument named Platform to perform a path traversal attack. This means the attacker can access files and directories outside the intended scope by crafting the Platform parameter. The attack can be launched remotely, and the exploit has been made public.
How can this vulnerability impact me? :
The vulnerability allows an attacker to perform a path traversal attack remotely by manipulating the Platform argument. This can lead to unauthorized access to files and directories on the server that are outside the intended access scope. Such unauthorized access could expose sensitive information, potentially compromising confidentiality. According to the CVSS v3.1 score, the impact is limited to confidentiality (C:L) with no impact on integrity or availability.