CVE-2026-10042

EUVD-2026-33328

29.05.2026, 15:16

manga-image-translator contains a remote code execution vulnerability in the shared API server mode due to unsafe deserialization of untrusted pickle data in the share.py module, where the /execute/{method_name} and /simple_execute/{method_name} endpoints deserialize attacker-controlled HTTP request bodies using pickle.loads(). A remote attacker can supply a crafted pickle payload to these endpoints to execute arbitrary code in the server process, resulting in full container compromise when running in the default Docker deployment as root.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	9.8 CRITICAL	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Awaiting analysis

This vulnerability is currently awaiting analysis.

Base Score

CVSS 3.x

EPSS Score

Percentile: Unknown

Common Weakness Enumeration

CWE-502 - Deserialization of Untrusted Data
The application deserializes untrusted data without sufficiently verifying that the resulting data will be valid.

References

https://github.com/zyddnys/manga-image-translator/commit/d7441481a7ed3236b4e0456670a9962a8c82d94d

https://github.com/zyddnys/manga-image-translator/issues/1141

https://github.com/zyddnys/manga-image-translator/pull/1142

https://www.vulncheck.com/advisories/manga-image-translator-rce-via-unsafe-pickle-deserialization-in-share-model

https://github.com/zyddnys/manga-image-translator/issues/1141