CVE-2026-3961 in manga-image-translatorinfo

Summary

by MITRE • 03/12/2026

A vulnerability was determined in zyddnys manga-image-translator up to beta-0.3. The affected element is the function to_pil_image of the file manga-image-translator-main/server/request_extraction.py of the component Translate Endpoints. This manipulation causes server-side request forgery. It is possible to initiate the attack remotely. The exploit has been publicly disclosed and may be utilized. The project was informed of the problem early through an issue report but has not responded yet.

Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

Analysis

by VulDB Data Team • 03/17/2026

The vulnerability identified as CVE-2026-3961 affects the zyddnys manga-image-translator project, specifically targeting the to_pil_image function within the server/request_extraction.py file of the Translate Endpoints component. This issue represents a critical security flaw that enables server-side request forgery attacks, allowing remote exploitation of the affected system. The vulnerability manifests through improper handling of image processing requests, creating a pathway for attackers to manipulate server-side operations through crafted input parameters.

The technical flaw stems from insufficient validation and sanitization of input data within the image translation endpoint. When the to_pil_image function processes incoming image requests, it fails to properly validate external references or URLs that may be embedded within the image metadata or processing parameters. This weakness creates an opportunity for attackers to inject malicious URLs or references that the server will attempt to resolve, thereby enabling the execution of unauthorized server-side requests. The vulnerability operates at the intersection of insecure input handling and inadequate network security controls, making it particularly dangerous in server environments where the application has network access to internal systems.

The operational impact of this vulnerability extends beyond simple data exfiltration, as it enables attackers to potentially access internal network resources, perform reconnaissance on internal systems, and escalate privileges within the server environment. Remote exploitation means that attackers can leverage this vulnerability from outside the network perimeter without requiring physical access or prior authentication. The fact that the exploit has been publicly disclosed increases the risk profile significantly, as it provides adversaries with detailed information about the attack vector and potential targets. This vulnerability can be particularly devastating in environments where the manga-image-translator server has access to sensitive internal resources or databases.

Security professionals should implement immediate mitigations including input validation controls, network segmentation, and the implementation of web application firewalls to monitor and block suspicious requests. The vulnerability aligns with CWE-918, which describes server-side request forgery vulnerabilities, and corresponds to ATT&CK technique T1190, which covers exploitation of remote services. Organizations should also consider implementing strict URL validation, disabling unnecessary network access for the application, and conducting thorough security assessments of all external dependencies. The lack of response from the project maintainers following the initial issue report suggests a potential delay in addressing critical security concerns, highlighting the importance of proactive security measures and alternative mitigation strategies for users who cannot wait for official patches.

Responsible

VulDB

Disclosure

03/12/2026

Moderation

accepted

CPE

ready

Exploit

Download

EPSS

0.00251

KEV

no

Activities

very low

Sources

Do you need the next level of professionalism?

Upgrade your account now!