Ethical Hacking News
The popular open-source serving framework SGLang has been identified as vulnerable to a critical security flaw that can lead to remote code execution. The vulnerability, tracked as CVE-2026-5760, carries a CVSS score of 9.8 out of 10.0 and was disclosed by security researcher Stuart Beck. Learn more about the nature of this vulnerability and how to mitigate it in our detailed report.
SGLang is vulnerable to a critical security flaw that can lead to remote code execution (RCE) with a CVSS score of 9.8 out of 10.0. The vulnerability affects the reranking endpoint "/v1/rerank" in SGLang, allowing arbitrary code execution through a specially crafted GPT-Generated Unified Format (GGUF) model file. The issue arises from using jinja2.Environment() without sandboxing instead of ImmutableSandboxedEnvironment. To mitigate the vulnerability, use ImmutableSandboxedEnvironment to render chat templates and prevent execution of arbitrary Python code.
SGLang, a popular open-source serving framework for large language models and multimodal models, has been identified as vulnerable to a critical security flaw that can lead to remote code execution (RCE) on susceptible systems. The vulnerability, tracked as CVE-2026-5760, carries a CVSS score of 9.8 out of 10.0 and was disclosed by security researcher Stuart Beck.
According to the CERT Coordination Center (CERT/CC), the vulnerability impacts the reranking endpoint "/v1/rerank" in SGLang, allowing an attacker to achieve arbitrary code execution in the context of the SGLang service by means of a specially crafted GPT-Generated Unified Format (GGUF) model file. The issue arises from the use of jinja2.Environment() without sandboxing instead of ImmutableSandboxedEnvironment, which enables a malicious model to execute arbitrary Python code on the inference server.
The sequence of events that leads to this vulnerability involves an attacker creating a GGUF model file with a malicious tokenizer.chat_template containing a Jinja2 Server-Side Template Injection (SSTI) payload. The template includes a trigger phrase to activate the vulnerable code path in "entrypoints/openai/serving_rerank.py". When a request hits the "/v1/rerank" endpoint, SGLang reads the chat_template and renders it with jinja2.Environment(), which executes the SSTI payload and results in arbitrary Python code being executed on the server.
This vulnerability is not an isolated incident; it falls under the same category as CVE-2024-34359 (aka Llama Drama), a now-patched critical flaw in the llama_cpp_python Python package that could have resulted in arbitrary code execution. The same attack surface was also rectified in vLLM late last year (CVE-2025-61620, CVSS score: 6.5).
To mitigate this vulnerability, it is recommended to use ImmutableSandboxedEnvironment instead of jinja2.Environment() to render the chat templates. This will prevent the execution of arbitrary Python code on the server.
The discovery and disclosure of this vulnerability highlights the importance of regular security audits and updates in open-source frameworks like SGLang. It also underscores the need for developers and users to stay vigilant and up-to-date with the latest security patches and best practices to protect against such vulnerabilities.
In conclusion, the critical security flaw in SGLang is a significant concern that requires immediate attention from developers and users alike. By understanding the nature of this vulnerability and taking steps to mitigate it, we can minimize the risk of RCE attacks and ensure the continued security and integrity of our systems and applications.
Related Information:
https://www.ethicalhackingnews.com/articles/Critical-Vulnerability-in-SGLang-Opens-Door-to-Remote-Code-Execution-ehn.shtml
https://thehackernews.com/2026/04/sglang-cve-2026-5760-cvss-98-enables.html
https://capalearning.com/2026/04/20/sglang-cve-2026-5760-cvss-9-8-enables-rce-via-malicious-gguf-model-files/
https://finance.yahoo.com/news/pillar-security-uncovers-novel-attack-122900173.html
https://nvd.nist.gov/vuln/detail/CVE-2026-5760
https://www.cvedetails.com/cve/CVE-2026-5760/
https://nvd.nist.gov/vuln/detail/CVE-2024-34359
https://www.cvedetails.com/cve/CVE-2024-34359/
https://nvd.nist.gov/vuln/detail/CVE-2025-61620
https://www.cvedetails.com/cve/CVE-2025-61620/
https://www.socinvestigation.com/comprehensive-list-of-apt-threat-groups-motives-and-attack-methods/
https://attack.mitre.org/groups/
https://instituteforcriticalinfrastructurecybersecurity.org/APTProfiles
Published: Mon Apr 20 14:51:07 2026 by llama3.2 3B Q4_K_M
