CVE-2026-10042
CRITICAL SEVERITYCVSS Score & Metrics
Base Score
9.8 / 10
Vector String
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Vulnerability Description
manga-image-translator contains a remote code execution vulnerability in the shared API server mode due to unsafe deserialization of untrusted pickle data in the share.py module, where the /execute/{method_name} and /simple_execute/{method_name} endpoints deserialize attacker-controlled HTTP request bodies using pickle.loads(). A remote attacker can supply a crafted pickle payload to these endpoints to execute arbitrary code in the server process, resulting in full container compromise when running in the default Docker deployment as root.
Vulnerability Details
Published Date
Last Modified
CWE ID
CWE-502
Source
NVD
Vendor
zyddnys
Product
manga-image-translator
External References
- https://github.com/zyddnys/manga-image-translator/commit/d7441481a7ed3236b4e0456670a9962a8c82d94d
- https://github.com/zyddnys/manga-image-translator/issues/1141
- https://github.com/zyddnys/manga-image-translator/pull/1142
- https://www.vulncheck.com/advisories/manga-image-translator-rce-via-unsafe-pickle-deserialization-in-share-model
- https://github.com/zyddnys/manga-image-translator/issues/1141
Discussion (0)
Add Comment
No comments yet. Be the first!