Part of Lyceum Intelligence — deep-research In Focus reports → · Lyceum Corpus — ask the documents →

Full-text search across 381 articles. Typo-tolerant.

Lyceum News Desk ·

CVE-2026-10042 -- CVSS 9.8 Vulnerability Briefing

CVE-2026-10042 | CVSS 9.8 (Critical) | Exploit: No known exploit

What Is It

CVE-2026-10042 is a critical remote code execution vulnerability in the manga-image-translator project, specifically within the shared API server mode's share.py module, caused by unsafe deserialization of attacker-controlled pickle data.

Technical Detail

The flaw exists in the /execute/ endpoint of manga-image-translator's shared API server, which deserializes incoming data using Python's pickle module without validating or sanitizing the input. An unauthenticated remote attacker can craft a malicious pickle payload and submit it to this endpoint, triggering arbitrary code execution in the context of the server process. Successful exploitation grants full control over the host system, as pickle deserialization inherently allows execution of arbitrary Python bytecode during the object reconstruction phase.

Exploitation Status

No known exploit code has been publicly observed or confirmed as of June 05, 2026. This vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog. No proof-of-concept code has been publicly disclosed. Despite the absence of observed exploitation, the attack surface is straightforward and the vulnerability class is well understood, meaning the barrier to developing a working exploit is low for a skilled attacker.

Who Is Targeting This

No confirmed threat actor attribution exists for this vulnerability. Reported (research-inferred): no public attribution has been made at this time, and no specific actor, origin, or motivation has been identified in open sources. Organizations should not treat the absence of attribution as an indicator of reduced risk given the critical severity rating.

What To Do

Apply any available patches or updates to manga-image-translator immediately, prioritizing instances where the shared API server mode is exposed to untrusted networks or the public internet. If no patch is yet available, disable the shared API server mode entirely or restrict access to the /execute/ endpoint using network-level controls such as firewall rules or authenticated reverse proxies. Avoid exposing this service on publicly routable interfaces under any circumstances until a fix is confirmed. Detection efforts should focus on monitoring for unexpected process spawning or outbound network connections originating from the manga-image-translator server process. Review deployment configurations to confirm whether the shared API mode is enabled, as it may not be active in all installations.

In Focus
All analysis →

Deep-research intelligence reports from Lyceum Intelligence — structured assessments with sourced claims and calibrated conclusions.

Browse Intelligence Reports →