Cyber Resilience

CVE-2026-7058

Medium

Published: 26 April 2026

Published
26 April 2026
Modified
29 April 2026
KEV Added
Patch
CVSS Score v4 5.5 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0212 84.5th percentile
Risk Priority 12 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-7058 is a medium-severity Injection (CWE-74) vulnerability. Its CVSS base score is 5.5 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 15.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

A command injection vulnerability has been identified in MiroFish versions up to 0.1.2, located in the SimulationIPCClient.send_command function of the backend/app/services/simulation_ipc.py file within the Inter-Process Communication component. The flaw, tracked under CWE-74 and CWE-77, allows remote manipulation that results in arbitrary command execution and carries a CVSS 4.0 score of 5.5.

An unauthenticated attacker can launch the attack over the network to inject commands through the affected IPC function, achieving limited impacts on confidentiality, integrity, and availability. The exploit code has been made public and may be usable against exposed instances.

The issue was disclosed early via a GitHub issue report on the project repository, but maintainers have not responded or released a patch. Public references including the repository and Vuldb entries provide further details on the report but contain no mitigation guidance. The associated EPSS score has remained low and essentially flat.

EU & UK References

Vulnerability details

A vulnerability has been found in 666ghj MiroFish up to 0.1.2. The impacted element is the function SimulationIPCClient.send_command of the file backend/app/services/simulation_ipc.py of the component Inter-Process Communication. Such manipulation leads to command injection. It is possible to launch the attack…

more

remotely. The exploit has been disclosed to the public and may be used. The project was informed of the problem early through an issue report but has not responded yet.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059 Command and Scripting Interpreter Execution
Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries.
Why these techniques?

Remote command injection vulnerability in a network-accessible IPC component directly enables exploitation of public-facing applications for initial access (T1190) and execution of arbitrary commands via command interpreters (T1059).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-15131Shared CWE-74, CWE-77
CVE-2026-1687Shared CWE-74, CWE-77
CVE-2026-1414Shared CWE-74, CWE-77
CVE-2025-1845Shared CWE-74, CWE-77
CVE-2025-1947Shared CWE-74, CWE-77
CVE-2025-15133Shared CWE-74, CWE-77
CVE-2025-0328Shared CWE-74, CWE-77
CVE-2025-10962Shared CWE-74, CWE-77
CVE-2025-1946Shared CWE-74, CWE-77
CVE-2026-3943Shared CWE-74, CWE-77

Affected Assets

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly prevents command injection in SimulationIPCClient.send_command by requiring validation and sanitization of inputs prior to processing.

prevent

Addresses the specific flaw in MiroFish's IPC component by requiring timely identification, reporting, and remediation through patching or workarounds.

prevent

Limits the impact of successful command injection by enforcing least privilege on processes handling IPC communications.

References