CVE-2026-10042
9.8 CRITICALmanga-image-translator contains a remote code execution vulnerability in the shared API server mode due to unsafe deserialization of untr...
Published: 2026-05-29 · Last updated: 2026-05-29
Severity and scoring
- CVSS
- 9.8 CRITICAL
- Vector
- CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
- CWE
- CWE-502
Description
manga-image-translator contains a remote code execution vulnerability in the shared API server mode due to unsafe deserialization of untrusted pickle data in the share.py module, where the /execute/{method_name} and /simple_execute/{method_name} endpoints deserialize attacker-controlled HTTP request bodies using pickle.loads(). A remote attacker can supply a crafted pickle payload to these endpoints to execute arbitrary code in the server process, resulting in full container compromise when running in the default Docker deployment as root.
Source: NVD
References
- [NVD]https://nvd.nist.gov/vuln/detail/CVE-2026-10042
- [Other]https://github.com/zyddnys/manga-image-translator/commit/d7441481a7ed3236b4e0456670a9962a8c82d94d
- [Other]https://github.com/zyddnys/manga-image-translator/issues/1141
- [Other]https://github.com/zyddnys/manga-image-translator/pull/1142
- [Other]https://www.vulncheck.com/advisories/manga-image-translator-rce-via-unsafe-pickle-deserialization-in-share-model
- [Other]https://github.com/zyddnys/manga-image-translator/issues/1141
Related CVEs
Same CWE
- CVE-2026-20251 — In Splunk Enterprise versions below 10.2.4, 10.0.7, 9.4.12, and 9.3.13, Splunk Cloud Platform versions below 10.3.2512.12, 10.2.2510.14, ... (8.8 HIGH)
- CVE-2026-53435 — In Jenkins 2.567 and earlier, LTS 2.555.2 and earlier, it is possible for attackers to have Jenkins deserialize arbitrary types defined i... (8.8 HIGH)
- CVE-2026-52751 — Ghidra before 12.1 contains an unsafe deserialization vulnerability in client-side Shared-Project RMI connection code that allows unauthe... (8.8 HIGH)
- CVE-2026-10721 — Concrete CMS below 9.5.2 is vulnerable to PHP Object Injection via unserialize() calls in the in Permission, Cache, and Search components
- CVE-2026-11815 — An attacker who intercepts and tampers with traffic between the client application and the API Gateway server could potentially deseriali...