CVE-2026-7058
Published: 26 April 2026
Summary
CVE-2026-7058 is a medium-severity Injection (CWE-74) vulnerability. Its CVSS base score is 5.5 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 15.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
A command injection vulnerability has been identified in MiroFish versions up to 0.1.2, located in the SimulationIPCClient.send_command function of the backend/app/services/simulation_ipc.py file within the Inter-Process Communication component. The flaw, tracked under CWE-74 and CWE-77, allows remote manipulation that results in arbitrary command execution and carries a CVSS 4.0 score of 5.5.
An unauthenticated attacker can launch the attack over the network to inject commands through the affected IPC function, achieving limited impacts on confidentiality, integrity, and availability. The exploit code has been made public and may be usable against exposed instances.
The issue was disclosed early via a GitHub issue report on the project repository, but maintainers have not responded or released a patch. Public references including the repository and Vuldb entries provide further details on the report but contain no mitigation guidance. The associated EPSS score has remained low and essentially flat.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-25728
Vulnerability details
A vulnerability has been found in 666ghj MiroFish up to 0.1.2. The impacted element is the function SimulationIPCClient.send_command of the file backend/app/services/simulation_ipc.py of the component Inter-Process Communication. Such manipulation leads to command injection. It is possible to launch the attack…
more
remotely. The exploit has been disclosed to the public and may be used. The project was informed of the problem early through an issue report but has not responded yet.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Remote command injection vulnerability in a network-accessible IPC component directly enables exploitation of public-facing applications for initial access (T1190) and execution of arbitrary commands via command interpreters (T1059).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly prevents command injection in SimulationIPCClient.send_command by requiring validation and sanitization of inputs prior to processing.
Addresses the specific flaw in MiroFish's IPC component by requiring timely identification, reporting, and remediation through patching or workarounds.
Limits the impact of successful command injection by enforcing least privilege on processes handling IPC communications.