CVE-2026-7058
Published: 26 April 2026
Summary
CVE-2026-7058 is a high-severity Injection (CWE-74) vulnerability. Its CVSS base score is 7.3 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 15.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly prevents command injection in SimulationIPCClient.send_command by requiring validation and sanitization of inputs prior to processing.
Addresses the specific flaw in MiroFish's IPC component by requiring timely identification, reporting, and remediation through patching or workarounds.
Limits the impact of successful command injection by enforcing least privilege on processes handling IPC communications.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Remote command injection vulnerability in a network-accessible IPC component directly enables exploitation of public-facing applications for initial access (T1190) and execution of arbitrary commands via command interpreters (T1059).
NVD Description
A vulnerability has been found in 666ghj MiroFish up to 0.1.2. The impacted element is the function SimulationIPCClient.send_command of the file backend/app/services/simulation_ipc.py of the component Inter-Process Communication. Such manipulation leads to command injection. It is possible to launch the attack…
more
remotely. The exploit has been disclosed to the public and may be used. The project was informed of the problem early through an issue report but has not responded yet.
Deeper analysisAI
CVE-2026-7058 is a command injection vulnerability in 666ghj MiroFish versions up to 0.1.2. The affected component is the Inter-Process Communication functionality, specifically the SimulationIPCClient.send_command function in the file backend/app/services/simulation_ipc.py. This flaw, associated with CWEs-74 and CWE-77, has a CVSS 3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L).
Remote attackers require no privileges or user interaction to exploit the vulnerability. By manipulating the send_command function, they can inject arbitrary commands, potentially compromising limited confidentiality, integrity, and availability of the affected system.
The project was informed of the issue early via GitHub issue #488 but has not responded or released patches. Advisories on VulDB detail the vulnerability and note that the exploit has been publicly disclosed, making it available for use. Practitioners should monitor the GitHub repository for updates and consider restricting network access to MiroFish instances until mitigation is available.
Details
- CWE(s)