DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-26215: Lost in Translation: Unauthenticated RCE in Manga Image Translator

#security #cve #cybersecurity

Lost in Translation: Unauthenticated RCE in Manga Image Translator

Vulnerability ID: CVE-2026-26215
CVSS Score: 9.8
Published: 2026-02-11

Translating manga is an art form. Translating arbitrary serialized Python objects into a root shell, however, is a science—specifically, the science of insecure deserialization. CVE-2026-26215 is a critical vulnerability in the manga-image-translator project that combines a classic pickle vulnerability with a hilariously broken authentication check. Because the developers relied on Python's truthiness logic for security configuration, the default installation leaves the front door wide open, allowing unauthenticated attackers to execute remote code on high-value GPU instances.

TL;DR

A logic error in the check_nonce function causes the API to skip authentication entirely in default configurations. Combined with an unsafe pickle.loads() call on the /execute endpoint, this allows unauthenticated RCE.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-502 (Deserialization of Untrusted Data)
  • CVSS v3.1: 9.8 (Critical)
  • Attack Vector: Network (HTTP POST)
  • Authentication: None (Bypassed)
  • Privileges: User/Server Context
  • Status: PoC Available

Affected Systems

  • manga-image-translator (Shared Mode)
  • FastAPI servers using default nonce configuration
  • manga-image-translator: <= beta-0.3 (Fixed in: N/A (See Issue #1116))

Code Analysis

Commit: N/A

Proposed patch discussion and workaround

N/A
Enter fullscreen mode Exit fullscreen mode

Exploit Details

  • GitHub: Full technical write-up and python exploit script.

Mitigation Strategies

  • Disable 'shared' mode if not strictly necessary.
  • Enforce explicit nonce generation in environment variables.
  • Network isolation: Firewall port 5003 to trusted IPs only.

Remediation Steps:

  1. Set MT_WEB_NONCE to a non-empty string immediately.
  2. Apply the patch from Issue #1116 which replaces pickle with safer serialization methods.
  3. Monitor logs for connection attempts to /execute/ from unknown IPs.

References

Read the full report for CVE-2026-26215 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)