CVE-2026-26215

Sažetak

manga-image-translator version beta-0.3 and prior in shared API mode contains an unsafe deserialization vulnerability that can lead to unauthenticated remote code execution. The FastAPI endpoints /simple_execute/{method} and /execute/{method} deserialize attacker-controlled request bodies using pickle.loads() without validation. Although a nonce-based authorization check is intended to restrict access, the nonce defaults to an empty string and the check is skipped, allowing remote attackers to execute arbitrary code in the server context by sending a crafted pickle payload.

Reference

https://chocapikk.com/posts/2026/manga-image-translator-pickle-rce/
https://github.com/zyddnys/manga-image-translator/blob/a537cb12b41daf2065795058c2753d87e73fa0fe/manga_translator/mode/share.py#L112
https://github.com/zyddnys/manga-image-translator/blob/a537cb12b41daf2065795058c2753d87e73fa0fe/manga_translator/mode/share.py#L130
https://github.com/zyddnys/manga-image-translator/issues/1116
https://github.com/zyddnys/manga-image-translator/issues/946
https://www.vulncheck.com/advisories/manga-image-translator-shared-api-unsafe-deserialization-rce

CVSS

Base:	0.0
Impact:	None
Exploitability:	None

Pristup

Vektor	Složenost	Autentikacija
None	None	None

Impact

Povjerljivost	Cjelovitost	Dostupnost
None	None	None

CVSS vektor

None

Zadnje važnije ažuriranje

11-02-2026 - 23:16

Objavljeno

11-02-2026 - 23:16