PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-26215 zyddnys CVE debrief

The CVE record for CVE-2026-26215 was published on 2026-02-11T23:16:10.797Z and has not been modified since then. The NVD entry is currently Deferred. The vulnerability affects manga-image-translator version beta-0.3 and prior in shared API mode, allowing unauthenticated remote code execution due to an unsafe deserialization issue. The FastAPI endpoints /simple_execute/{method} and /execute/{method} are vulnerable, and the nonce-based authorization check is not effective. Users of affected versions should be aware of this vulnerability and take steps to mitigate it. The debrief provides an executive overview of the vulnerability, its impact, and the context in which it was discovered.

Vendor
zyddnys
Product
manga-image-translator
CVSS
CRITICAL 9.3
CISA KEV
Not listed in stored evidence
Original CVE published
2026-02-11
Original CVE updated
2026-07-14
Advisory published
2026-02-11
Advisory updated
2026-07-14

Who should care

Users of manga-image-translator version beta-0.3 and prior in shared API mode should be aware of this vulnerability and take steps to mitigate it. This includes operators, administrators, and security teams responsible for managing and securing the affected systems. The vulnerability can lead to unauthenticated remote code execution, which can have significant operational impacts. Affected stakeholders should review the CVE record and NVD entry for more information and take necessary actions to protect their systems.

Technical summary

manga-image-translator version beta-0.3 and prior in shared API mode contains an unsafe deserialization vulnerability that can lead to unauthenticated remote code execution. The FastAPI endpoints /simple_execute/{method} and /execute/{method} deserialize attacker-controlled request bodies using pickle.loads() without validation. Although a nonce-based authorization check is intended to restrict access, the nonce defaults to an empty string and the check is skipped, allowing remote attackers to execute arbitrary code in the server context by sending a crafted pickle payload.

Defensive priority

High

Recommended defensive actions

  • Inventory and verify affected versions of manga-image-translator
  • Apply vendor remediation or patches
  • Implement compensating controls, such as input validation and authentication checks
  • Monitor for suspicious activity and exception tracking
  • Retest and verify vulnerability fixes
  • Review and update incident response plans
  • Conduct a thorough risk assessment to identify potential exposure

Evidence notes

The CVE record and NVD entry provide details on the vulnerability, but further analysis and verification are needed to fully understand the impact and scope of the vulnerability. The vulnerability is caused by an unsafe deserialization issue in the manga-image-translator version beta-0.3 and prior in shared API mode. The FastAPI endpoints /simple_execute/{method} and /execute/{method} deserialize attacker-controlled request bodies using pickle.loads() without validation. Although a nonce-based authorization check is intended to restrict access, the nonce defaults to an empty string and the check is skipped. This allows remote attackers to execute arbitrary code in the server context by sending a crafted pickle payload. Evidence limits suggest that additional verification tasks may be required to confirm the vulnerability and its impact.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-02-11T23:16:10.797Z and has not been modified since then. The NVD entry is currently Deferred.