A critical security vulnerability in manga-image-translator, a widely used open-source OCR tool with over 9,300 GitHub stars, allows attackers to execute arbitrary code on vulnerable servers without authentication—a flaw that security researcher Valentin Lobstein says has been hiding in plain sight for months.
The vulnerability, now tracked as CVE-2026-26215 with a CVSS score of 9.8, stems from a dangerous combination: the use of Python's pickle module for deserialising untrusted data and a nonce-based authentication mechanism that fails silently by default.
What is manga-image-translator?
manga-image-translator is an open-source automated tool that detects, extracts, and translates text embedded in manga and comic book images. The software uses optical character recognition (OCR) to identify text within images, then translates it using various backends, including GPT-4, DeepL, and Google Translate.
With over 9,300 GitHub stars and 22,000+ Docker Hub pulls, the project has become widely popular among manga enthusiasts. It offers flexible deployment options: as a web server for batch processing, a command-line tool for local use, or a browser extension for real-time translation while browsing.
In what Lobstein describes as a "false sense of security," the authentication code exists but never executes because the nonce defaults to an empty string—a falsy value in Python that causes the entire security check to be skipped.
"This one stands out because of the false sense of security," Lobstein wrote in his disclosure. "A code reviewer would see check_nonce(request) being called and assume the endpoint is protected. You have to trace through the argument defaults to realise the guard is dead code."
The flaw affects manga-image-translator's shared mode server, which exposes two FastAPI endpoints that pass raw HTTP request bodies directly to pickle.loads()—a notoriously insecure deserialization method that can execute arbitrary code.
The shared mode server binds to 0.0.0.0:5003 in all standard configurations, making it accessible to anyone on the network. With over 22,000 Docker Hub pulls and a Discord community of 3,300+ members, the attack surface is significant.
Attackers can exploit the vulnerability by sending a crafted pickle payload to either the /simple_execute or /execute endpoints. No authentication headers are needed since the MT_WEB_NONCE environment variable is never set in any official Docker Compose files, Makefiles, or deployment documentation.
Perhaps more troubling than the vulnerability itself is how the project handled previous reports. Security researcher sud0why from Tencent YunDing Security Lab filed issue #946 in May 2025, documenting the exact same pickle deserialization flaw. The report went unanswered for six months before being auto-closed by the project's stale bot. Earlier security improvement requests in issues #509 and #516 met similar fates. No CVE was assigned until Lobstein's independent discovery.
The vulnerability carries severe implications for deployments exposed to network access. Successful exploitation grants attackers complete server control, enabling data theft, malware deployment, credential harvesting, and lateral movement within compromised networks.
Lobstein recommends three immediate fixes: change the nonce default from an empty string to None with auto-generation, replace pickle.loads() with safer alternatives like JSON or MessagePack, and restrict the shared worker to localhost only. "Security features that ship disabled are worse than no security features—they create a false sense of protection," he noted.
Users running manga-image-translator in shared mode should immediately update to patched versions or disable network access to the shared mode server until fixes are applied. For those unable to patch immediately, setting a strong nonce value via the MT_WEB_NONCE environment variable provides temporary mitigation, though switching to JSON-based serialisation remains the proper long-term solution.
While manga-image-translator grapples with critical security flaws, the OCR technology landscape is witnessing significant advancements.
Bengaluru-based startup Sarvam AI recently launched Sarvam Vision, a homegrown OCR model that has outperformed global giants on specialised benchmarks. The model achieved 84.3% accuracy on the olmOCR-Bench, surpassing Google Gemini 3 Pro (80.20%) and significantly beating ChatGPT (69.80%) on the same tests.
Sarvam Vision recorded particularly strong results on OmniDocBench v1.5 with a 93.28% overall score, excelling in complex formulas and layout parsing. What sets Sarvam Vision apart is its focus on Indian languages—supporting all 22 scheduled Indian languages—an area where global models typically struggle with non-Latin scripts and regional formatting.