Description
manga-image-translator contains a remote code execution vulnerability in the shared API server mode due to unsafe deserialization of untrusted pickle data in the share.py module, where the /execute/{method_name} and /simple_execute/{method_name} endpoints deserialize attacker-controlled HTTP request bodies using pickle.loads(). A remote attacker can supply a crafted pickle payload to these endpoints to execute arbitrary code in the server process, resulting in full container compromise when running in the default Docker deployment as root.
Published: 2026-05-29
Score: 9.2 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability resides in the share.py module of manga-image-translator, where the /execute/{method_name} and /simple_execute/{method_name} endpoints deserialize HTTP request bodies using pickle.loads() without validating the input. An attacker can craft a malicious pickle payload that, when loaded, executes arbitrary code in the server process, leading to remote code execution and full container compromise when the application runs as root in the default Docker deployment.

Affected Systems

The affected product is manga-image-translator developed by zyddnys. Any installation that enables the shared API server mode and exposes the /execute or /simple_execute endpoints is vulnerable; the description does not list specific version numbers, so all current releases before the fix commit are at risk.

Risk and Exploitability

The CVSS base score of 9.2 indicates a critical severity. While the EPSS score is unavailable, the vulnerability remains unlisted in CISA KEV. The likely attack vector is remote, via crafted HTTP requests containing a malicious pickle payload; exploitation would grant an attacker full code execution and container takeover on systems running the default Docker configuration as root.

Generated by OpenCVE AI on May 29, 2026 at 15:13 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest patch from the repository, which updates share.py to validate or replace unsafe pickle deserialization.
  • Disable or restrict the shared API server mode so the vulnerable endpoints are not exposed to the internet.
  • Replace the unsafe pickle.loads() calls with a safe deserialization mechanism such as JSON or a custom loader that only accepts a predefined subset of objects.

Generated by OpenCVE AI on May 29, 2026 at 15:13 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 29 May 2026 15:45:00 +0000

Type Values Removed Values Added
First Time appeared Zyddnys
Zyddnys manga-image-translator
Vendors & Products Zyddnys
Zyddnys manga-image-translator

Fri, 29 May 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 29 May 2026 14:45:00 +0000

Type Values Removed Values Added
Description manga-image-translator contains a remote code execution vulnerability in the shared API server mode due to unsafe deserialization of untrusted pickle data in the share.py module, where the /execute/{method_name} and /simple_execute/{method_name} endpoints deserialize attacker-controlled HTTP request bodies using pickle.loads(). A remote attacker can supply a crafted pickle payload to these endpoints to execute arbitrary code in the server process, resulting in full container compromise when running in the default Docker deployment as root.
Title manga-image-translator RCE via Unsafe Pickle Deserialization in Share Model
Weaknesses CWE-502
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 9.2, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Zyddnys Manga-image-translator
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-05-29T15:04:02.168Z

Reserved: 2026-05-28T20:43:23.374Z

Link: CVE-2026-10042

cve-icon Vulnrichment

Updated: 2026-05-29T15:03:55.546Z

cve-icon NVD

Status : Deferred

Published: 2026-05-29T15:16:21.843

Modified: 2026-05-29T16:29:11.350

Link: CVE-2026-10042

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-29T15:30:03Z

Weaknesses
  • CWE-502

    Deserialization of Untrusted Data