{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-7041", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "state": "PUBLISHED", "assignerShortName": "VulDB", "dateReserved": "2026-04-25T15:54:19.855Z", "datePublished": "2026-04-26T12:45:12.357Z", "dateUpdated": "2026-04-27T13:10:03.077Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-04-26T12:45:12.357Z"}, "title": "666ghj MiroFish Werkzeug Debugger PIN console information disclosure", "problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-200", "lang": "en", "description": "Information Disclosure"}]}, {"descriptions": [{"type": "CWE", "cweId": "CWE-284", "lang": "en", "description": "Improper Access Controls"}]}], "affected": [{"vendor": "666ghj", "product": "MiroFish", "versions": [{"version": "0.1.0", "status": "affected"}, {"version": "0.1.1", "status": "affected"}, {"version": "0.1.2", "status": "affected"}], "modules": ["Werkzeug Debugger PIN Handler"]}], "descriptions": [{"lang": "en", "value": "A vulnerability was detected in 666ghj MiroFish up to 0.1.2. The impacted element is an unknown function of the file /console of the component Werkzeug Debugger PIN Handler. Performing a manipulation of the argument SECRET results in information disclosure. It is possible to initiate the attack remotely. The attack is considered to have high complexity. The exploitability is regarded as difficult. The exploit is now public and may be used. The project was informed of the problem early through an issue report but has not responded yet."}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 6.3, "vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P", "baseSeverity": "MEDIUM"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 3.7, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:W/RC:R", "baseSeverity": "LOW"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 3.7, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:W/RC:R", "baseSeverity": "LOW"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 2.6, "vectorString": "AV:N/AC:H/Au:N/C:P/I:N/A:N/E:POC/RL:W/RC:UR"}}], "timeline": [{"time": "2026-04-25T00:00:00.000Z", "lang": "en", "value": "Advisory disclosed"}, {"time": "2026-04-25T02:00:00.000Z", "lang": "en", "value": "VulDB entry created"}, {"time": "2026-04-25T17:59:36.000Z", "lang": "en", "value": "VulDB entry last update"}], "credits": [{"lang": "en", "value": "Yu_Bao (VulDB User)", "type": "reporter"}, {"lang": "en", "value": "VulDB CNA Team", "type": "coordinator"}], "references": [{"url": "https://vuldb.com/vuln/359620", "name": "VDB-359620 | 666ghj MiroFish Werkzeug Debugger PIN console information disclosure", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/vuln/359620/cti", "name": "VDB-359620 | CTI Indicators (IOB, IOC, TTP, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/submit/798526", "name": "Submit #798526 | 666ghj MiroFish 0.1.2 Remote Code Execution", "tags": ["third-party-advisory"]}, {"url": "https://github.com/666ghj/MiroFish/issues/483", "tags": ["exploit", "issue-tracking"]}, {"url": "https://github.com/666ghj/MiroFish/", "tags": ["product"]}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-27T13:09:55.449358Z", "id": "CVE-2026-7041", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-27T13:10:03.077Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-7041", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-27T13:09:55.449358Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-27T13:09:58.455Z"}}], "cna": {"title": "666ghj MiroFish Werkzeug Debugger PIN console information disclosure", "credits": [{"lang": "en", "type": "reporter", "value": "Yu_Bao (VulDB User)"}, {"lang": "en", "type": "coordinator", "value": "VulDB CNA Team"}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 6.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 3.7, "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:W/RC:R"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 3.7, "baseSeverity": "LOW", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:W/RC:R"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 2.6, "vectorString": "AV:N/AC:H/Au:N/C:P/I:N/A:N/E:POC/RL:W/RC:UR"}}], "affected": [{"vendor": "666ghj", "modules": ["Werkzeug Debugger PIN Handler"], "product": "MiroFish", "versions": [{"status": "affected", "version": "0.1.0"}, {"status": "affected", "version": "0.1.1"}, {"status": "affected", "version": "0.1.2"}]}], "timeline": [{"lang": "en", "time": "2026-04-25T00:00:00.000Z", "value": "Advisory disclosed"}, {"lang": "en", "time": "2026-04-25T02:00:00.000Z", "value": "VulDB entry created"}, {"lang": "en", "time": "2026-04-25T17:59:36.000Z", "value": "VulDB entry last update"}], "references": [{"url": "https://vuldb.com/vuln/359620", "name": "VDB-359620 | 666ghj MiroFish Werkzeug Debugger PIN console information disclosure", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/vuln/359620/cti", "name": "VDB-359620 | CTI Indicators (IOB, IOC, TTP, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/submit/798526", "name": "Submit #798526 | 666ghj MiroFish 0.1.2 Remote Code Execution", "tags": ["third-party-advisory"]}, {"url": "https://github.com/666ghj/MiroFish/issues/483", "tags": ["exploit", "issue-tracking"]}, {"url": "https://github.com/666ghj/MiroFish/", "tags": ["product"]}], "descriptions": [{"lang": "en", "value": "A vulnerability was detected in 666ghj MiroFish up to 0.1.2. The impacted element is an unknown function of the file /console of the component Werkzeug Debugger PIN Handler. Performing a manipulation of the argument SECRET results in information disclosure. It is possible to initiate the attack remotely. The attack is considered to have high complexity. The exploitability is regarded as difficult. The exploit is now public and may be used. The project was informed of the problem early through an issue report but has not responded yet."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-200", "description": "Information Disclosure"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-284", "description": "Improper Access Controls"}]}], "providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-04-26T12:45:12.357Z"}}}, "cveMetadata": {"cveId": "CVE-2026-7041", "state": "PUBLISHED", "dateUpdated": "2026-04-27T13:10:03.077Z", "dateReserved": "2026-04-25T15:54:19.855Z", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "datePublished": "2026-04-26T12:45:12.357Z", "assignerShortName": "VulDB"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability was detected in 666ghj MiroFish up to 0.1.2. The impacted element is an unknown function of the file /console of the component Werkzeug Debugger PIN Handler. Performing a manipulation of the argument SECRET results in information disclosure. It is possible to initiate the attack remotely. The attack is considered to have high complexity. The exploitability is regarded as difficult. The exploit is now public and may be used. The project was informed of the problem early through an issue report but has not responded yet."}], "id": "CVE-2026-7041", "lastModified": "2026-04-29T01:00:01.613", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "LOW", "cvssData": {"accessComplexity": "HIGH", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 2.6, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:H/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 4.9, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "cna@vuldb.com", "type": "Secondary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 3.7, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 1.4, "source": "cna@vuldb.com", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "HIGH", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 2.9, "baseSeverity": "LOW", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "PROOF_OF_CONCEPT", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "cna@vuldb.com", "type": "Secondary"}]}, "published": "2026-04-26T13:16:01.813", "references": [{"source": "cna@vuldb.com", "url": "https://github.com/666ghj/MiroFish/"}, {"source": "cna@vuldb.com", "url": "https://github.com/666ghj/MiroFish/issues/483"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/submit/798526"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/vuln/359620"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/vuln/359620/cti"}], "sourceIdentifier": "cna@vuldb.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-200"}, {"lang": "en", "value": "CWE-284"}], "source": "cna@vuldb.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "0.1.0"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "0.1.1"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "0.1.2"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "MiroFish", "source": "cna", "vendor": "666ghj"}, "product": "mirofish", "vendor": "666ghj"}], "analysis": {"en": {"generated_at": "2026-04-28T05:18:19.679526+00:00", "value": {"mitigation_remediation": ["Restrict or disable public access to the Werkzeug Debugger PIN Handler by blocking the /console endpoint or moving it behind an authentication gate", "Enforce strict authentication and input validation on the SECRET parameter to prevent unauthorized disclosure", "Monitor the 666ghj MiroFish project\u2019s GitHub repository and the vulnerability reporting site for an official patch, and apply the patch promptly when released"], "summary": {"action": "Mitigate", "impact": "Information Disclosure"}, "threat_synthesis": {"affected_systems": "Vendors and products affected are 666ghj and MiroFish, with vulnerable releases through version 0.1.2. The issue is tied to the /console endpoint of the Werkzeug Debugger PIN Handler. No other vendors or product versions are listed as impacted.", "description_and_impact": "The vulnerability resides in the Werkzeug Debugger PIN Handler component of 666ghj MiroFish. By manipulating the SECRET argument of the /console endpoint, an attacker can cause the application to disclose console information. This leads to a confidentiality breach, allowing the remote extraction of potentially sensitive internal data. The weakness is documented as CWE\u2011200 (Information Exposure) and CWE\u2011284 (Improper Authorization).", "risk_and_exploitability": "The CVSS score of 6.3 indicates moderate\u2011to\u2011high severity, while the EPSS score of less than 1% shows a low probability of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog. The attack vector is remote via manipulation of the SECRET argument, requires high complexity, and is considered difficult to exploit, though a public exploit exists. Overall, the risk is moderate but warrants attention."}}}}, "created": "2026-04-27T19:52:29.308102+00:00", "updated": "2026-04-28T05:30:23.342088+00:00", "vendors": ["666ghj", "666ghj$PRODUCT$mirofish"]}