Home

Description

manga-image-translator contains a remote code execution vulnerability in the shared API server mode due to unsafe deserialization of untrusted pickle data in the share.py module, where the /execute/{method_name} and /simple_execute/{method_name} endpoints deserialize attacker-controlled HTTP request bodies using pickle.loads(). A remote attacker can supply a crafted pickle payload to these endpoints to execute arbitrary code in the server process, resulting in full container compromise when running in the default Docker deployment as root.

PUBLISHED Reserved 2026-05-28 | Published 2026-05-29 | Updated 2026-05-29 | Assigner VulnCheck




CRITICAL: 9.8CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CRITICAL: 9.2CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Problem types

CWE-502 Deserialization of Untrusted Data

Product status

Default status
unknown

Any version
affected

Credits

YU SUN finder

References

github.com/zyddnys/manga-image-translator/issues/1141 issue-tracking

github.com/zyddnys/manga-image-translator/pull/1142 technical-description

github.com/...ommit/d7441481a7ed3236b4e0456670a9962a8c82d94d patch

www.vulncheck.com/...e-pickle-deserialization-in-share-model third-party-advisory

cve.org (CVE-2026-10042)

nvd.nist.gov (CVE-2026-10042)

Download JSON