CVE-2026-7042

HIGH

666ghj MiroFish REST API Endpoint init.py create_app missing authentication

Title source: cna

Description

A flaw has been found in 666ghj MiroFish up to 0.1.2. This affects the function create_app of the file backend/app/__init__.py of the component REST API Endpoint. Executing a manipulation can lead to missing authentication. It is possible to launch the attack remotely. The exploit has been published and may be used. The project was informed of the problem early through an issue report but has not responded yet.

References (5)

[Vdb Entry, Technical Description] https://vuldb.com/vuln/359621

[Signature, Permissions Required] https://vuldb.com/vuln/359621/cti

[Third Party Advisory] https://vuldb.com/submit/798583

[Exploit] https://github.com/666ghj/MiroFish/issues/487

[Product] https://github.com/666ghj/MiroFish/

Scores

CVSS v3 7.3

EPSS 0.0007

EPSS Percentile 20.1%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

CISA SSVC

Vulnrichment

Exploitation poc

Automatable yes

Technical Impact partial

Details

CWE

CWE-287 CWE-306

Status published

Products (3)

666ghj/MiroFish 0.1.0

666ghj/MiroFish 0.1.1

666ghj/MiroFish 0.1.2

Published Apr 26, 2026

Tracked Since Apr 26, 2026