CVE-2026-10042
CRITICALmanga-image-translator RCE via Unsafe Pickle Deserialization in Share Model
Title source: cnaDescription
manga-image-translator contains a remote code execution vulnerability in the shared API server mode due to unsafe deserialization of untrusted pickle data in the share.py module, where the /execute/{method_name} and /simple_execute/{method_name} endpoints deserialize attacker-controlled HTTP request bodies using pickle.loads(). A remote attacker can supply a crafted pickle payload to these endpoints to execute arbitrary code in the server process, resulting in full container compromise when running in the default Docker deployment as root.
References (4)
Core 4
Core References
Issue Tracking issue-tracking
https://github.com/zyddnys/manga-image-translator/issues/1141
Technical Description technical-description
https://github.com/zyddnys/manga-image-translator/pull/1142
Patch patch
https://github.com/zyddnys/manga-image-translator/commit/d7441481a7ed3236b4e0456670a9962a8c82d94d
Third Party Advisory third-party-advisory
https://www.vulncheck.com/advisories/manga-image-translator-rce-via-unsafe-pickle-deserialization-in-share-model
Scores
CVSS v3
9.8
EPSS
0.0062
EPSS Percentile
44.9%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
total
Details
CWE
CWE-502
Status
published
Products (1)
zyddnys/manga-image-translator
< d744148
Published
May 29, 2026
Tracked Since
May 29, 2026