CVE-2026-7059

Root

Cause CVE-2026-7059 is a path traversal vulnerability in MiroFish v0.1.2, specifically in the get_simulation_posts function of backend/app/api/simulation.py [1]. The component mishandles the platform query parameter by directly interpolating it into a SQLite database filename pattern ({platform}_simulation.db) without any sanitization or validation [1]. This allows an attacker to inject directory traversal sequences (e.g., ../) via the platform parameter, leading to arbitrary database file access [1].

Exploitation

An unauthenticated attacker can exploit this vulnerability remotely by sending a crafted GET request to the /api/simulation/<simulation_id>/posts endpoint [1]. No authentication is required, and the attack does not rely on a POST body — the malicious platform value is simply supplied as a query string parameter [1]. The path traversal sequence in the platform argument enables the attacker to navigate outside the intended uploads/simulations/ directory [1].

Impact

Successful exploitation allows an attacker to read the full contents of any SQLite database file on the server that ends with _simulation.db [1]. This includes sensitive data such as posts, comments, and related counts from other simulations [1]. The vulnerability leads to high confidentiality impact without any requirement for user interaction or special privileges [1].

Mitigation

As of the advisory publication, no patch has been released for MiroFish v0.1.2 [1]. The vendor has been notified, and users are advised to apply input validation on the platform parameter — specifically by rejecting any values containing path traversal sequences or by restricting the parameter to a whitelist of allowed platform identifiers [1]. The vulnerability has been publicly disclosed, increasing the risk of exploitation [1].