QwikSec

Security Database

CVE

CWE

Training

CVE-2026-26215

Published: Feb 11, 2026

Modified: May 11, 2026

PUBLISHED

Description

manga-image-translator version beta-0.3 and prior in shared API mode contains an unsafe deserialization vulnerability that can lead to unauthenticated remote code execution. The FastAPI endpoints /simple_execute/{method} and /execute/{method} deserialize attacker-controlled request bodies using pickle.loads() without validation. Although a nonce-based authorization check is intended to restrict access, the nonce defaults to an empty string and the check is skipped, allowing remote attackers to execute arbitrary code in the server context by sending a crafted pickle payload.

Vendor	Product	Versions
zyddnys	manga-image-translator	affected `0 - <= beta-0.3`

Weaknesses (CWE)

References

https://chocapikk.com/posts/2026/manga-image-translator-pickle-rce/

technical-description

exploit

https://github.com/zyddnys/manga-image-translator/issues/1116

issue-tracking

patch

https://github.com/zyddnys/manga-image-translator/issues/946

issue-tracking

https://github.com/zyddnys/manga-image-translator/blob/a537cb12b41daf2065795058c2753d87e73fa0fe/manga_translator/mode/share.py#L112

product

https://github.com/zyddnys/manga-image-translator/blob/a537cb12b41daf2065795058c2753d87e73fa0fe/manga_translator/mode/share.py#L130

product

https://www.vulncheck.com/advisories/manga-image-translator-shared-api-unsafe-deserialization-rce

third-party-advisory

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.