{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-26215", "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "state": "PUBLISHED", "assignerShortName": "VulnCheck", "dateReserved": "2026-02-11T20:08:07.943Z", "datePublished": "2026-02-11T22:18:39.304Z", "dateUpdated": "2026-05-11T23:11:18.525Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unknown", "packageName": "manga-image-translator", "product": "manga-image-translator", "repo": "https://github.com/zyddnys/manga-image-translator", "vendor": "zyddnys", "versions": [{"lessThanOrEqual": "beta-0.3", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Valentin Lobstein (Chocapikk)"}, {"lang": "en", "type": "finder", "value": "sud0why of Tencent YunDing Security Lab"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "manga-image-translator version&nbsp;beta-0.3 and prior in shared API mode contains an unsafe deserialization vulnerability that can lead to unauthenticated remote code execution. The FastAPI endpoints /simple_execute/{method} and /execute/{method} deserialize attacker-controlled request bodies using pickle.loads() without validation. Although a nonce-based authorization check is intended to restrict access, the nonce defaults to an empty string and the check is skipped, allowing remote attackers to execute arbitrary code in the server context by sending a crafted pickle payload."}], "value": "manga-image-translator version\u00a0beta-0.3 and prior in shared API mode contains an unsafe deserialization vulnerability that can lead to unauthenticated remote code execution. The FastAPI endpoints /simple_execute/{method} and /execute/{method} deserialize attacker-controlled request bodies using pickle.loads() without validation. Although a nonce-based authorization check is intended to restrict access, the nonce defaults to an empty string and the check is skipped, allowing remote attackers to execute arbitrary code in the server context by sending a crafted pickle payload."}], "metrics": [{"cvssV4_0": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "baseScore": 9.3, "baseSeverity": "CRITICAL", "exploitMaturity": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-502", "description": "CWE-502 Deserialization of Untrusted Data", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "shortName": "VulnCheck", "dateUpdated": "2026-05-11T23:11:18.525Z"}, "references": [{"tags": ["technical-description", "exploit"], "url": "https://chocapikk.com/posts/2026/manga-image-translator-pickle-rce/"}, {"tags": ["issue-tracking", "patch"], "url": "https://github.com/zyddnys/manga-image-translator/issues/1116"}, {"tags": ["issue-tracking"], "url": "https://github.com/zyddnys/manga-image-translator/issues/946"}, {"tags": ["product"], "url": "https://github.com/zyddnys/manga-image-translator/blob/a537cb12b41daf2065795058c2753d87e73fa0fe/manga_translator/mode/share.py#L112"}, {"tags": ["product"], "url": "https://github.com/zyddnys/manga-image-translator/blob/a537cb12b41daf2065795058c2753d87e73fa0fe/manga_translator/mode/share.py#L130"}, {"tags": ["third-party-advisory"], "url": "https://www.vulncheck.com/advisories/manga-image-translator-shared-api-unsafe-deserialization-rce"}], "source": {"discovery": "EXTERNAL"}, "title": "manga-image-translator Shared API Unsafe Deserialization RCE", "workarounds": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<span style=\"background-color: rgb(255, 255, 255);\"><span style=\"background-color: rgb(255, 255, 255);\">Set the MT_WEB_NONCE environment variable or pass --nonce=&lt;secret&gt; at startup.</span></span><br>"}], "value": "Set the MT_WEB_NONCE environment variable or pass --nonce=<secret> at startup."}], "x_generator": {"engine": "Vulnogram 0.5.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-12T15:00:51.578516Z", "id": "CVE-2026-26215", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-12T15:01:45.298Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"cna": {"title": "manga-image-translator Shared API Unsafe Deserialization RCE", "source": {"discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "finder", "value": "Valentin Lobstein (Chocapikk)"}, {"lang": "en", "type": "finder", "value": "sud0why of Tencent YunDing Security Lab"}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 9.3, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"repo": "https://github.com/zyddnys/manga-image-translator", "vendor": "zyddnys", "product": "manga-image-translator", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "beta-0.3"}], "packageName": "manga-image-translator", "defaultStatus": "unknown"}], "references": [{"url": "https://chocapikk.com/posts/2026/manga-image-translator-pickle-rce/", "tags": ["technical-description", "exploit"]}, {"url": "https://github.com/zyddnys/manga-image-translator/issues/1116", "tags": ["issue-tracking", "patch"]}, {"url": "https://github.com/zyddnys/manga-image-translator/issues/946", "tags": ["issue-tracking"]}, {"url": "https://github.com/zyddnys/manga-image-translator/blob/a537cb12b41daf2065795058c2753d87e73fa0fe/manga_translator/mode/share.py#L112", "tags": ["product"]}, {"url": "https://github.com/zyddnys/manga-image-translator/blob/a537cb12b41daf2065795058c2753d87e73fa0fe/manga_translator/mode/share.py#L130", "tags": ["product"]}, {"url": "https://www.vulncheck.com/advisories/manga-image-translator-shared-api-unsafe-deserialization-rce", "tags": ["third-party-advisory"]}], "workarounds": [{"lang": "en", "value": "Set the MT_WEB_NONCE environment variable or pass --nonce=<secret> at startup.", "supportingMedia": [{"type": "text/html", "value": "<span style=\"background-color: rgb(255, 255, 255);\"><span style=\"background-color: rgb(255, 255, 255);\">Set the MT_WEB_NONCE environment variable or pass --nonce=&lt;secret&gt; at startup.</span></span><br>", "base64": false}]}], "x_generator": {"engine": "Vulnogram 0.5.0"}, "descriptions": [{"lang": "en", "value": "manga-image-translator version\u00a0beta-0.3 and prior in shared API mode contains an unsafe deserialization vulnerability that can lead to unauthenticated remote code execution. The FastAPI endpoints /simple_execute/{method} and /execute/{method} deserialize attacker-controlled request bodies using pickle.loads() without validation. Although a nonce-based authorization check is intended to restrict access, the nonce defaults to an empty string and the check is skipped, allowing remote attackers to execute arbitrary code in the server context by sending a crafted pickle payload.", "supportingMedia": [{"type": "text/html", "value": "manga-image-translator version&nbsp;beta-0.3 and prior in shared API mode contains an unsafe deserialization vulnerability that can lead to unauthenticated remote code execution. The FastAPI endpoints /simple_execute/{method} and /execute/{method} deserialize attacker-controlled request bodies using pickle.loads() without validation. Although a nonce-based authorization check is intended to restrict access, the nonce defaults to an empty string and the check is skipped, allowing remote attackers to execute arbitrary code in the server context by sending a crafted pickle payload.", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-502", "description": "CWE-502 Deserialization of Untrusted Data"}]}], "providerMetadata": {"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "shortName": "VulnCheck", "dateUpdated": "2026-02-11T22:22:49.341Z"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-26215", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-02-12T15:00:51.578516Z"}}}], "providerMetadata": {"shortName": "CISA-ADP", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "dateUpdated": "2026-02-12T15:01:03.119Z"}}]}, "cveMetadata": {"cveId": "CVE-2026-26215", "state": "PUBLISHED", "dateUpdated": "2026-02-11T22:22:49.341Z", "dateReserved": "2026-02-11T20:08:07.943Z", "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "datePublished": "2026-02-11T22:18:39.304Z", "assignerShortName": "VulnCheck"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "manga-image-translator version\u00a0beta-0.3 and prior in shared API mode contains an unsafe deserialization vulnerability that can lead to unauthenticated remote code execution. The FastAPI endpoints /simple_execute/{method} and /execute/{method} deserialize attacker-controlled request bodies using pickle.loads() without validation. Although a nonce-based authorization check is intended to restrict access, the nonce defaults to an empty string and the check is skipped, allowing remote attackers to execute arbitrary code in the server context by sending a crafted pickle payload."}, {"lang": "es", "value": "manga-image-translator versi\u00f3n beta-0.3 y anteriores en modo API compartido contiene una vulnerabilidad de deserializaci\u00f3n insegura que puede conducir a la ejecuci\u00f3n remota de c\u00f3digo no autenticada. Los endpoints de FastAPI /simple_execute/{method} y /execute/{method} deserializan cuerpos de solicitud controlados por el atacante utilizando pickle.loads() sin validaci\u00f3n. Aunque una comprobaci\u00f3n de autorizaci\u00f3n basada en nonce est\u00e1 destinada a restringir el acceso, el nonce por defecto es una cadena vac\u00eda y la comprobaci\u00f3n se omite, permitiendo a atacantes remotos ejecutar c\u00f3digo arbitrario en el contexto del servidor enviando una carga \u00fatil pickle manipulada."}], "id": "CVE-2026-26215", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 9.3, "baseSeverity": "CRITICAL", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "disclosure@vulncheck.com", "type": "Secondary"}]}, "published": "2026-02-11T23:16:10.797", "references": [{"source": "disclosure@vulncheck.com", "url": "https://chocapikk.com/posts/2026/manga-image-translator-pickle-rce/"}, {"source": "disclosure@vulncheck.com", "url": "https://github.com/zyddnys/manga-image-translator/blob/a537cb12b41daf2065795058c2753d87e73fa0fe/manga_translator/mode/share.py#L112"}, {"source": "disclosure@vulncheck.com", "url": "https://github.com/zyddnys/manga-image-translator/blob/a537cb12b41daf2065795058c2753d87e73fa0fe/manga_translator/mode/share.py#L130"}, {"source": "disclosure@vulncheck.com", "url": "https://github.com/zyddnys/manga-image-translator/issues/1116"}, {"source": "disclosure@vulncheck.com", "url": "https://github.com/zyddnys/manga-image-translator/issues/946"}, {"source": "disclosure@vulncheck.com", "url": "https://www.vulncheck.com/advisories/manga-image-translator-shared-api-unsafe-deserialization-rce"}], "sourceIdentifier": "disclosure@vulncheck.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-502"}], "source": "disclosure@vulncheck.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,beta-0.3]"}}], "product": "manga-image-translator", "vendor": "zyddnys"}], "analysis": {"en": {"generated_at": "2026-04-17T20:08:24.163024+00:00", "value": {"mitigation_remediation": ["Set the MT_WEB_NONCE environment variable to a secure random string or start the application with the --nonce flag to enable the nonce check that prevents unauthenticated access.", "Upgrade to a fixed version of manga\u2011image\u2011translator where this unsafe deserialization has been resolved; if no official patch exists, review the project\u2019s release notes or repository for a corrected implementation.", "Disable the shared API mode entirely when it is not required, or restrict its exposure to trusted networks using firewall rules or a reverse\u2011proxy to block unauthenticated clients.", "Continuously monitor application logs for deserialization errors or unexpected payloads, and alert on repeated failures that may indicate an active exploit attempt."], "summary": {"action": "Apply Workaround", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the manga\u2011image\u2011translator application released by zyddnys. Versions beta\u20110.3 and earlier running in shared API mode are impacted. No specific minor or patch versions are listed; the issue is present up to and including the latest beta release at the time of the advisory.", "description_and_impact": "The vulnerability resides in the shared API mode of manga\u2011image\u2011translator beta\u20110.3 and earlier, where the FastAPI endpoints \"/simple_execute/{method}\" and \"/execute/{method}\" use Python\u2019s pickle.loads() to deserialize request bodies without validating the payload. This unsafe deserialization enables any network user who can contact the API to send a specially crafted pickle payload that will be executed with the privileges of the server process. The consequence is full remote code execution on the host, which can compromise confidentiality, integrity, and availability of the affected machine and any services it hosts. The weakness aligns with CWE\u2011502, indicating insecure deserialization.", "risk_and_exploitability": "CVSS 9.3 reflects a critical severity, yet the EPSS score is below 1\u202f%, indicating that currently the likelihood of exploitation is low. The vulnerability is not yet listed in the CISA KEV catalog. Attackers can reach the vulnerable endpoints over the network; no authentication is required because the intended nonce\u2011based protection defaults to an empty string, effectively disabling the check. Once accessed, the attacker can inject arbitrary pickled objects that will be deserialized and executed by the server."}}}}, "created": "2026-02-12T09:03:10.678356+00:00", "updated": "2026-04-17T20:15:26.999711+00:00", "vendors": ["zyddnys", "zyddnys$PRODUCT$manga-image-translator"]}