CVE-2026-10042

manga-image-translator contains a remote code execution vulnerability in the shared API server mode due to unsafe deserialization of untrusted pickle data in the share.py module, where the /execute/{method_name} and /simple_execute/{method_name} endpoints deserialize attacker-controlled HTTP request bodies using pickle.loads(). A remote attacker can supply a crafted pickle payload to these endpoints to execute arbitrary code in the server process, resulting in full container compromise when running in the default Docker deployment as root.

CVSS v3 9.8 CRITICAL

9.8^/10

CVSS v3 : CRITICAL

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/zyddnys/manga-image-translator/commit/d7441481a7ed3236b4e0456670a9962a8c82d94d
https://github.com/zyddnys/manga-image-translator/issues/1141
https://github.com/zyddnys/manga-image-translator/pull/1142
https://www.vulncheck.com/advisories/manga-image-translator-rce-via-unsafe-pickle-deserialization-in-share-model
https://github.com/zyddnys/manga-image-translator/issues/1141

Configurations

No configuration.

History

29 May 2026, 16:16

Type	Values Removed	Values Added
References	~~() https://github.com/zyddnys/manga-image-translator/issues/1141 -~~	() https://github.com/zyddnys/manga-image-translator/issues/1141 -

29 May 2026, 15:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-05-29 15:16

Updated : 2026-05-29 16:29

NVD link : CVE-2026-10042

Mitre link : CVE-2026-10042

CVE.ORG link : CVE-2026-10042

JSON object : View

Products Affected

No product.

CWE

CWE-502

Deserialization of Untrusted Data

{"id": "CVE-2026-10042", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "disclosure@vulncheck.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 3.9}], "cvssMetricV40": [{"type": "Secondary", "source": "disclosure@vulncheck.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 9.2, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2026-05-29T15:16:21.843", "references": [{"url": "https://github.com/zyddnys/manga-image-translator/commit/d7441481a7ed3236b4e0456670a9962a8c82d94d", "source": "disclosure@vulncheck.com"}, {"url": "https://github.com/zyddnys/manga-image-translator/issues/1141", "source": "disclosure@vulncheck.com"}, {"url": "https://github.com/zyddnys/manga-image-translator/pull/1142", "source": "disclosure@vulncheck.com"}, {"url": "https://www.vulncheck.com/advisories/manga-image-translator-rce-via-unsafe-pickle-deserialization-in-share-model", "source": "disclosure@vulncheck.com"}, {"url": "https://github.com/zyddnys/manga-image-translator/issues/1141", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}], "vulnStatus": "Deferred", "weaknesses": [{"type": "Secondary", "source": "disclosure@vulncheck.com", "description": [{"lang": "en", "value": "CWE-502"}]}], "descriptions": [{"lang": "en", "value": "manga-image-translator contains a remote code execution vulnerability in the shared API server mode due to unsafe deserialization of untrusted pickle data in the share.py module, where the /execute/{method_name} and /simple_execute/{method_name} endpoints deserialize attacker-controlled HTTP request bodies using pickle.loads(). A remote attacker can supply a crafted pickle payload to these endpoints to execute arbitrary code in the server process, resulting in full container compromise when running in the default Docker deployment as root."}], "lastModified": "2026-05-29T16:29:11.350", "sourceIdentifier": "disclosure@vulncheck.com"}