Deserialization in Zyddnys Manga-image-translator

CVE-2026-26215

manga-image-translator version beta-0.3 and prior in shared API mode contains an unsafe deserialization vulnerability that can lead to unauthenticated remote code execution. The FastAPI endpoints /simple_execute/{method} and /execute/{meth…

Vulnerability class: Insecure Deserialization

EPSS: 0.002 (36.7th percentile) — read the EPSS interpretation.

Affected products

Zyddnys Manga-image-translator — versions 0

Weakness classification (CWE)

CWE-502 — Deserialization of Untrusted Data

References

chocapikk.com/posts/2026/manga-image-translator-pickle-rce/ (technical-description, exploit)
github.com/zyddnys/manga-image-translator/issues/1116 (issue-tracking, patch)
github.com/zyddnys/manga-image-translator/issues/946 (issue-tracking)
github.com/zyddnys/manga-image-translator/blob/a537cb12b41daf2065795058c2753d87… (product)
github.com/zyddnys/manga-image-translator/blob/a537cb12b41daf2065795058c2753d87… (product)
www.vulncheck.com/advisories/manga-image-translator-shared-api-unsafe-deseriali… (third-party-advisory)