CVE-2026-26215 - Vulnerability Analysis
N/aLast Updated: February 12, 2026
manga-image-translator - Remote Code Execution
Published: February 11, 2026Updated: February 12, 2026PoC Available
Overview
manga-image-translator beta-0.3 and prior in shared API mode contains an insecure deserialization vulnerability caused by unvalidated use of pickle.loads() in FastAPI endpoints, letting unauthenticated remote attackers execute arbitrary code by sending crafted payloads.
Severity & Score
Severity: N/a
Impact
Unauthenticated remote attackers can execute arbitrary code on the server, potentially leading to full system compromise.
Mitigation
Update to the latest version that fixes the insecure deserialization vulnerability.
References
- https://chocapikk.com/posts/2026/manga-image-translator-pickle-rce/
- https://github.com/zyddnys/manga-image-translator/blob/a537cb12b41daf2065795058c2753d87e73fa0fe/manga_translator/mode/share.py#L112
- https://github.com/zyddnys/manga-image-translator/blob/a537cb12b41daf2065795058c2753d87e73fa0fe/manga_translator/mode/share.py#L130
- https://github.com/zyddnys/manga-image-translator/issues/1116
- https://github.com/zyddnys/manga-image-translator/issues/946
- https://www.vulncheck.com/advisories/manga-image-translator-shared-api-unsafe-deserialization-rce
Related Resources
Details
- CVE ID
- CVE-2026-26215
- Severity
- N/a
- Type
- insecure_deserialization
- Status
- unconfirmed
CWE
- CWE-502
CVSS Metrics
N/A