Which versions of manga-image-translator are affected by EUVD-2026-33328?

A critical remote code execution vulnerability in an API service leverages unsafe pickle deserialization to enable arbitrary code execution; no public exploit identified at time of analysis.. A patch is available.

How to fix or mitigate EUVD-2026-33328?

Within 24 hours: Identify and inventory all affected service deployments. Within 7 days: Apply patch including fix commit d7441481 or later vendor-released version. Within 30 days: Implement firewall rules restricting network access to vulnerable endpoints and audit Docker configurations to eliminate unnecessary root privileges.

manga-image-translator EUVD-2026-33328

Q: What is the CVSS score of EUVD-2026-33328?

EUVD-2026-33328 has a CVSS 4.0 base score of 9.2 (Critical). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.4%.

| CVE-2026-10042 CRITICAL

Deserialization of Untrusted Data (CWE-502)

2026-05-29 VulnCheck

GHSA-xx7c-f2fq-qmv3

RCE Docker Deserialization

9.2

CVSS 4.0

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Lifecycle Timeline

Analysis Updated

May 29, 2026 - 15:28 vuln.today

v3 (cvss_changed)

Analysis Updated

May 29, 2026 - 15:28 vuln.today

v2 (cvss_changed)

Re-analysis Queued

May 29, 2026 - 15:22 vuln.today

cvss_changed

CVSS changed

May 29, 2026 - 15:22 NVD

9.8 (CRITICAL) 9.2 (CRITICAL)

Source Code Evidence Fetched

May 29, 2026 - 15:15 vuln.today

Analysis Generated

May 29, 2026 - 15:15 vuln.today

CVE Published

May 29, 2026 - 14:29 nvd

CRITICAL 9.8

DescriptionNVD

manga-image-translator contains a remote code execution vulnerability in the shared API server mode due to unsafe deserialization of untrusted pickle data in the share.py module, where the /execute/{method_name} and /simple_execute/{method_name} endpoints deserialize attacker-controlled HTTP request bodies using pickle.loads(). A remote attacker can supply a crafted pickle payload to these endpoints to execute arbitrary code in the server process, resulting in full container compromise when running in the default Docker deployment as root.

AnalysisAI

{method_name} and /simple_execute/{method_name} endpoints, which call pickle.loads() on raw HTTP request bodies. The flaw scored CVSS 4.0 of 9.2 and has an upstream fix in commit d7441481, but no public exploit was identified at time of analysis; risk is amplified by the default Docker image running as root, leading to full container compromise.

RemediationAI

Within 24 hours: Identify and inventory all affected service deployments. Within 7 days: Apply patch including fix commit d7441481 or later vendor-released version. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

EUVD-2026-33328 vulnerability details – vuln.today

Back

manga-image-translator EUVD-2026-33328

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Analysis

Full analysis requires sign-in

Share

manga-image-translator EUVD-2026-33328

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Full analysis requires sign-in

Share

External POC / Exploit Code