Skip to main content

SGLang CVE-2026-7669

MEDIUM
Improper Input Validation (CWE-20)
2026-05-02 cna@vuldb.com
Python Deserialization
6.3
CVSS 4.0
Share

CVSS VectorNVD

CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

3
Analysis Generated
May 02, 2026 - 22:30 vuln.today
Analysis Generated
May 02, 2026 - 22:22 vuln.today
CVE Published
May 02, 2026 - 22:16 nvd
MEDIUM 6.3

DescriptionNVD

A vulnerability was detected in sgl-project SGLang up to 0.5.9. Impacted is the function get_tokenizer of the file python/sglang/srt/utils/hf_transformers_utils.py of the component HuggingFace Transformer Handler. The manipulation results in deserialization. The attack can be executed remotely. A high complexity level is associated with this attack. The exploitability is considered difficult. The vendor was contacted early about this disclosure but did not respond in any way.

AnalysisAI

Unsafe deserialization in SGLang's HuggingFace Transformer Handler allows remote attackers to trigger deserialization attacks via the get_tokenizer function in versions up to 0.5.9, potentially leading to code execution or information disclosure. The vulnerability requires high attack complexity and has not been patched despite early vendor notification.

Sign in for full analysis, threat intelligence, and remediation guidance.

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Sign in - Free

Share

CVE-2026-7669 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy