CVE-2026-26215 – CVE-2026-26215 is an unauthenticated remote cod... (How to Fix)

Q: What is the severity of CVE-2026-26215?

CVE-2026-26215 has a CVSS score of N/A (Unknown). CVE-2026-26215 is an unauthenticated remote code execution vulnerability in manga-image-translator's shared API mode. Attackers can send malicious pickle payloads to FastAPI endpoints to execute arbitrary code on the server. This affects all users running version beta-0.3 or earlier with shared API mode enabled.

📋 TL;DR

CVE-2026-26215 is an unauthenticated remote code execution vulnerability in manga-image-translator's shared API mode. Attackers can send malicious pickle payloads to FastAPI endpoints to execute arbitrary code on the server. This affects all users running version beta-0.3 or earlier with shared API mode enabled.

💻 Affected Systems

Products:

manga-image-translator

Versions: beta-0.3 and prior

Operating Systems: Any OS running Python

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects instances with shared API mode enabled. The nonce authorization defaults to empty string, bypassing intended access controls.

⚠️ Manual Verification Required

This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.

Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).

🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.

Recommended Actions:

Review the CVE details at NVD
Check vendor security advisories for your specific version
Test if the vulnerability is exploitable in your environment
Consider updating to the latest version as a precaution

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete server compromise allowing attackers to install malware, steal data, pivot to internal networks, or use the server for cryptocurrency mining or DDoS attacks.

🟠

Likely Case

Server takeover leading to data theft, service disruption, and potential lateral movement within the network.

🟢

If Mitigated

No impact if proper authorization is enforced and unsafe deserialization is prevented.

🌐 Internet-Facing: HIGH - The vulnerability is unauthenticated and allows remote code execution on internet-exposed instances.

🏢 Internal Only: MEDIUM - Internal attackers or compromised internal systems could exploit this, but requires network access to the vulnerable service.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires crafting pickle payloads but is straightforward for attackers familiar with Python deserialization attacks.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Versions after beta-0.3

Vendor Advisory: https://github.com/zyddnys/manga-image-translator/issues/1116

Restart Required: Yes

Instructions:

1. Update manga-image-translator to latest version. 2. Verify the fix by checking that pickle.loads() is no longer used in /simple_execute/{method} and /execute/{method} endpoints. 3. Restart the service.

🔧 Temporary Workarounds

Disable shared API mode

all

Completely disable the vulnerable shared API functionality

Modify configuration to disable shared API mode or remove the vulnerable endpoints

Implement proper nonce validation

all

Enforce non-empty nonce and proper authorization checks

Set a strong nonce value in configuration and ensure authorization checks are enforced

🧯 If You Can't Patch

Network segmentation: Isolate vulnerable instances from critical systems and internet access
Implement strict firewall rules: Block external access to the vulnerable endpoints (ports 5003 by default)

🔍 How to Verify

Check if Vulnerable:

Check if running manga-image-translator beta-0.3 or earlier with shared API mode enabled. Examine the share.py file for pickle.loads() usage in the execute endpoints.

Check Version:

Check package version or examine the source code for version indicators

Verify Fix Applied:

Verify that pickle.loads() is removed from /simple_execute/{method} and /execute/{method} endpoints in the codebase and proper authorization is implemented.

📡 Detection & Monitoring

Log Indicators:

Unusual POST requests to /simple_execute/* or /execute/* endpoints
Unexpected process execution or system commands in logs
Authentication bypass attempts

Network Indicators:

Pickle payloads in HTTP requests (contains pickle protocol markers)
Unusual outbound connections from the server
Traffic to unexpected ports or IPs

SIEM Query:

http.method:POST AND (http.uri:"/simple_execute/*" OR http.uri:"/execute/*") AND NOT user_agent:"normal-client"

📊 Metadata

CVE ID: CVE-2026-26215

CVSS v3 Score: N/A (Unknown)

CWE: CWE-502

EPSS Score: 0.11% exploit probability (29.3th percentile)

Published: February 11, 2026

Last Updated: February 12, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-26215, you might also want to check these: