How is CVE-2026-10042 exploited?

Network reachability (required): The attacker must reach the share-mode HTTP server over the network to POST to the /execute or /simple_execute endpoints. Authentication (not-required): The vulnerable endpoints accept requests with no credentials, so any caller who can reach the server can trigger deserialization. Victim interaction (not-required): Exploitation is a direct server-side request and requires no action from any user or operator. Attack complexity (info): AC:L indicates the exploit is reliable, though AT:P notes a present attack requirement, namely that the server is started in share mode rather than the default standalone mode.

What is the impact of CVE-2026-10042?

Arbitrary code execution inside the manga-image-translator server process, giving the attacker the same privileges as the container's main process. Full read access to any data, model files, API keys, and mounted volumes accessible to that process. Tampering with translation outputs, cached models, and any writable mounts, plus the ability to plant persistence in the image's working directories. In the default Docker deployment the process runs as root, so the attacker effectively owns the container and can pivot to any network the container can reach.

Back to search

CRITICALCVE-2026-10042Published 2026-05-29Modified 2026-05-29CNA VulnCheck

CVE-2026-10042: manga-image-translator RCE via Unsafe Pickle Deserialization in Share Model

manga-image-translator contains a remote code execution vulnerability in the shared API server mode due to unsafe deserialization of untrusted pickle data in the share.py module, where the /execute/{method_name} and /simple_execute/{method_name} endpoints deserialize attacker-controlled HTTP request bodies using pickle.loads(). A remote attacker can supply a crafted pickle payload to these endpoints to execute arbitrary code in the server process, resulting in full container compromise when running in the default Docker deployment as root.

HarborGuard Analysis

HarborGuard analysis

Synopsis

manga-image-translator has a remote code execution flaw in its shared API server mode, where the /execute/{method_name} and /simple_execute/{method_name} endpoints in share.py call pickle.loads() on raw HTTP request bodies. Any unauthenticated attacker who can reach the share server over the network can send a crafted pickle payload and run arbitrary code in the server process, which in the default Docker image runs as root and yields full container compromise. No fix has been published; HarborGuard tracks the advisory for patch availability.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment, with the advisory ingested from upstream feeds within minutes of publication and matched against manga-image-translator images in customer registries and CI pipelines. Coverage extends to custom-built images that embed the affected commit range, including derivative images built on top of the upstream Docker tag.

Available

Triage

Triage is available using the published CVSS v4.0 score of 9.2 (Critical), weighted by each customer organization's compliance policy so that internet-exposed share-mode deployments escalate ahead of internal-only ones. Findings route to the inbox configured for critical container CVEs inside each customer org.

Available

Patch

No upstream fix has been published for any affected commit. HarborGuard re-checks the advisory on each ingest cycle and will make a patched-image rebuild available the moment zyddnys ships a corrected release, with auto-remediation customers receiving a rebuild, regression run, and PR opened against affected workloads at that point.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The attacker must reach the share-mode HTTP server over the network to POST to the /execute or /simple_execute endpoints.
AuthenticationNot required
The vulnerable endpoints accept requests with no credentials, so any caller who can reach the server can trigger deserialization.
Victim interactionNot required
Exploitation is a direct server-side request and requires no action from any user or operator.
Attack complexityDetail
AC:L indicates the exploit is reliable, though AT:P notes a present attack requirement, namely that the server is started in share mode rather than the default standalone mode.

Blast Radius

Arbitrary code execution inside the manga-image-translator server process, giving the attacker the same privileges as the container's main process.
Full read access to any data, model files, API keys, and mounted volumes accessible to that process.
Tampering with translation outputs, cached models, and any writable mounts, plus the ability to plant persistence in the image's working directories.
In the default Docker deployment the process runs as root, so the attacker effectively owns the container and can pivot to any network the container can reach.

How HarborGuard Handles This

Available on HarborGuard: continuous monitoring of the zyddnys/manga-image-translator advisory, with the patched-image rebuild auto-published the moment an upstream fix lands and, for environments with auto-remediation enabled, a regression-tested PR opened against affected workloads at that point. Until a fix exists, recommended compensating controls surfaced alongside the finding include disabling share mode entirely, placing the share server behind an authenticated reverse proxy on a private network, blocking ingress to /execute and /simple_execute at the gateway, dropping the container to a non-root UID, and applying egress filtering so a compromised process cannot reach attacker infrastructure.

See how HarborGuard automates this

CVSS v4.0: 9.2
Severity: CRITICAL
Fixed in: —
Affected Products: 1

Affected packages

zyddnys / manga-image-translator
≤ d744148

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

References