Sglang
Monthly
Hash collision weaknesses in SGLang's multimodal Cache Handler (all versions through 0.5.11) allow a local low-privilege attacker to craft multimodal tensor inputs that produce identical cache keys via truncated SHA256 digests, causing incorrect cache lookups or cache invalidation failures that disrupt LLM serving workflows. The CVSS 4.0 score of 1.1 reflects the strictly local attack vector and high exploitation complexity, limiting real-world impact primarily to multi-tenant inference deployments. Publicly available exploit code exists per GitHub issue #25462, though no confirmed active exploitation has been observed and the vulnerability is not listed in the CISA KEV catalog.
SGLangs multimodal generation runtime is vulnerable to an unauthenticated path traversal vulnerability, allowing an attacker to write arbitrary files anywhere the server process has write access, by including ../ sequences in the upload filename when sent to specific endpoints.
SGLangs multimodal generation runtime scheduler's ROUTER socket binds to 0.0.0.0 by default and contains a sink that calls pickle.loads() on incoming messages, enabling RCE when exposed to the internet.
Remote code execution in SGLang 0.5.9's /v1/rerank endpoint allows unauthenticated attackers to execute arbitrary code by loading specially crafted model files with malicious Jinja2 templates. The vulnerability stems from unsandboxed rendering of tokenizer.chat_template fields, enabling template injection attacks. Publicly available exploit code exists (GitHub POC by Stuub). With CVSS 9.8 (AV:N/AC:L/PR:N/UI:N) and SSVC ratings of automatable with total technical impact, this represents critical risk for exposed SGLang deployments handling untrusted model files.
SGLang's encoder parallel disaggregation system is vulnerable to unauthenticated RCE through pickle deserialization in the disaggregation module's inter-process communication. Same class of vulnerability as CVE-2026-3059 in a different code path.
SGLang's multimodal generation module deserializes untrusted data with pickle.loads() over an unauthenticated ZMQ broker, enabling remote code execution. Any attacker who can reach the ZMQ port can execute arbitrary Python code on the ML inference server.
Hash collision weaknesses in SGLang's multimodal Cache Handler (all versions through 0.5.11) allow a local low-privilege attacker to craft multimodal tensor inputs that produce identical cache keys via truncated SHA256 digests, causing incorrect cache lookups or cache invalidation failures that disrupt LLM serving workflows. The CVSS 4.0 score of 1.1 reflects the strictly local attack vector and high exploitation complexity, limiting real-world impact primarily to multi-tenant inference deployments. Publicly available exploit code exists per GitHub issue #25462, though no confirmed active exploitation has been observed and the vulnerability is not listed in the CISA KEV catalog.
SGLangs multimodal generation runtime is vulnerable to an unauthenticated path traversal vulnerability, allowing an attacker to write arbitrary files anywhere the server process has write access, by including ../ sequences in the upload filename when sent to specific endpoints.
SGLangs multimodal generation runtime scheduler's ROUTER socket binds to 0.0.0.0 by default and contains a sink that calls pickle.loads() on incoming messages, enabling RCE when exposed to the internet.
Remote code execution in SGLang 0.5.9's /v1/rerank endpoint allows unauthenticated attackers to execute arbitrary code by loading specially crafted model files with malicious Jinja2 templates. The vulnerability stems from unsandboxed rendering of tokenizer.chat_template fields, enabling template injection attacks. Publicly available exploit code exists (GitHub POC by Stuub). With CVSS 9.8 (AV:N/AC:L/PR:N/UI:N) and SSVC ratings of automatable with total technical impact, this represents critical risk for exposed SGLang deployments handling untrusted model files.
SGLang's encoder parallel disaggregation system is vulnerable to unauthenticated RCE through pickle deserialization in the disaggregation module's inter-process communication. Same class of vulnerability as CVE-2026-3059 in a different code path.
SGLang's multimodal generation module deserializes untrusted data with pickle.loads() over an unauthenticated ZMQ broker, enabling remote code execution. Any attacker who can reach the ZMQ port can execute arbitrary Python code on the ML inference server.