CVE-2026-26215 PUBLISHED

manga-image-translator Shared API Unsafe Deserialization RCE

Assigner: VulnCheck
Reserved: 11.02.2026 Published: 11.02.2026 Updated: 12.02.2026

manga-image-translator version beta-0.3 and prior in shared API mode contains an unsafe deserialization vulnerability that can lead to unauthenticated remote code execution. The FastAPI endpoints /simple_execute/{method} and /execute/{method} deserialize attacker-controlled request bodies using pickle.loads() without validation. Although a nonce-based authorization check is intended to restrict access, the nonce defaults to an empty string and the check is skipped, allowing remote attackers to execute arbitrary code in the server context by sending a crafted pickle payload.

Metrics

CVSS 4.0

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
CVSS Score: 9.3

Exploitability Metrics		Vulnerable System Impact Metrics		Subsequent System Impact Metrics
Attack Vector	Network	Confidentiality	High	Confidentiality	None
Attack Complexity	Low	Integrity	High	Integrity	None
Attack Requirements	None	Availability	High	Availability	None
Privileges Required	None
User Interaction	None

CVSS 4.0

Product Status

Vendor	zyddnys
Product	manga-image-translator
Versions	Default: unknown affected from 0 to beta-0.3 (incl.)

Workarounds

Set the MT_WEB_NONCE environment variable or pass --nonce=<secret> at startup.

Credits

Valentin Lobstein (Chocapikk) finder
sud0why of Tencent YunDing Security Lab finder

References

Problem Types

CWE-502 Deserialization of Untrusted Data CWE