CVE-2026-10042

CVE Database · CVE-2026-10042

CVE-2026-10042

· CRITICALDeferred

CVSS v3.1

9.8

CVSS v4.0

9.2

EPSS

0.62%

Published

May 29, 2026

Modified

May 29, 2026

Public PoC / Exploit (1)

All weaponized →

TrickestTrickest PoC index

Links to public security research (Exploit-DB, Nuclei, Trickest, GitHub) for defensive use only.

Description

manga-image-translator contains a remote code execution vulnerability in the shared API server mode due to unsafe deserialization of untrusted pickle data in the share.py module, where the /execute/{method_name} and /simple_execute/{method_name} endpoints deserialize attacker-controlled HTTP request bodies using pickle.loads(). A remote attacker can supply a crafted pickle payload to these endpoints to execute arbitrary code in the server process, resulting in full container compromise when running in the default Docker deployment as root.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Weaknesses (CWE)

CWE-502

References (5)

https://github.com/zyddnys/manga-image-translator/commit/d7441481a7ed3236b4e0456670a9962a8c82d94d

https://github.com/zyddnys/manga-image-translator/issues/1141

https://github.com/zyddnys/manga-image-translator/pull/1142

https://www.vulncheck.com/advisories/manga-image-translator-rce-via-unsafe-pickle-deserialization-in-share-model

https://github.com/zyddnys/manga-image-translator/issues/1141

KEV Catalog EPSS Scores Vendors All CVEs