CVE-2026-10042
🟠 Łataj w tym tygodniu
Niebezpieczna deserializacja w manga-image-translator umożliwia zdalne wykonanie kodu.
CVSS
9.8
EPSS
0.4%
Exploit
none
Vendor
Opis źródłowy (NVD)
manga-image-translator contains a remote code execution vulnerability in the shared API server mode due to unsafe deserialization of untrusted pickle data in the share.py module, where the /execute/{method_name} and /simple_execute/{method_name} endpoints deserialize attacker-controlled HTTP request bodies using pickle.loads(). A remote attacker can supply a crafted pickle payload to these endpoints to execute arbitrary code in the server process, resulting in full container compromise when running in the default Docker deployment as root.
deserialization rce
Brak patcha
Źródła i daty
| Źródło | Wartość |
|---|---|
| NVD – CVSS | 9.8 |
| CISA KEV (aktywnie wykorzystywane) | Nie |
| FIRST EPSS (prawdopodobieństwo exploita) | 0.4% |
| Opublikowano (NVD) | 2026-05-29 15:16:21 UTC |
| Ostatnia modyfikacja (NVD) | 2026-05-29 16:29:11 UTC |
Referencje
- https://github.com/zyddnys/manga-image-translator/commit/d7441481a7ed3236b4e0456670a9962a8c82d94d (disclosure@vulncheck.com)
- https://github.com/zyddnys/manga-image-translator/issues/1141 (disclosure@vulncheck.com)
- https://github.com/zyddnys/manga-image-translator/pull/1142 (disclosure@vulncheck.com)
- https://www.vulncheck.com/advisories/manga-image-translator-rce-via-unsafe-pickle-deserialization-in-share-model (disclosure@vulncheck.com)