CVE-2026-26215 affects the manga-image-translator project, specifically versions beta-0.3 and earlier, when operating in shared API mode. The vulnerability stems from the use of Python's pickle.loads() function to deserialize request bodies received at the FastAPI endpoints /simple_execute/{method} and /execute/{method}. Pickle deserialization is inherently unsafe when processing untrusted input because it can instantiate arbitrary objects and execute arbitrary code during deserialization. Although the application attempts to restrict access via a nonce-based authorization mechanism, this check is flawed: the nonce defaults to an empty string and the authorization check is effectively skipped. Consequently, remote attackers can send maliciously crafted pickle payloads without authentication, leading to remote code execution (RCE) on the server hosting the application. This vulnerability is classified under CWE-502 (Deserialization of Untrusted Data). The CVSS 4.0 vector indicates no required privileges, no user interaction, and network attack vector, with high impact on confidentiality, integrity, and availability. The absence of patches at the time of disclosure increases the urgency for mitigation. While no active exploits have been reported, the vulnerability's characteristics make it a prime target for attackers aiming to compromise systems running this software.

The impact of CVE-2026-26215 is severe for organizations using the manga-image-translator software, especially in shared API mode. Successful exploitation results in unauthenticated remote code execution, allowing attackers to fully compromise the affected server. This can lead to data theft, system manipulation, deployment of malware or ransomware, lateral movement within networks, and disruption of services. Because the vulnerability requires no authentication or user interaction, attackers can exploit it remotely and at scale. Organizations relying on this software for image translation or related services face risks to confidentiality, integrity, and availability of their systems and data. Additionally, compromised servers could be used as pivot points for further attacks within an organization’s infrastructure. The lack of available patches at disclosure heightens the risk, necessitating immediate defensive actions to prevent exploitation.

To mitigate CVE-2026-26215, organizations should immediately disable or restrict access to the vulnerable FastAPI endpoints (/simple_execute/{method} and /execute/{method}) until a secure patch or update is available. Avoid using pickle or any unsafe deserialization methods on untrusted input; instead, switch to safer serialization formats such as JSON with strict schema validation. Implement robust authentication and authorization mechanisms that do not rely on default or empty values, ensuring nonce or token checks are properly enforced. Network-level controls such as IP whitelisting, firewall rules, and API gateways can limit exposure of the vulnerable endpoints. Monitor logs for suspicious requests containing unusual payloads indicative of pickle deserialization attempts. If possible, run the application in a sandboxed or containerized environment with minimal privileges to limit the impact of potential exploitation. Stay updated with vendor advisories and apply patches promptly once released. Conduct code reviews to identify and remediate other unsafe deserialization practices.