A critical security vulnerability has been disclosed in SGLang that, if successfully exploited, could result in remote code execution on susceptible systems.
The vulnerability, tracked as CVE-2026-5760, carries a CVSS score of 9.8 out of 10.0. It has been described as a case of command injection leading to the execution of arbitrary code.
SGLang is a high-performance, open-source serving framework for large language models and multimodal models. The official GitHub project has been forked over 5,500 times and starred 26,100 times.Â
According to the CERT Coordination Center (CERT/CC), the vulnerability impacts the reranking endpoint “/v1/rerank,” allowing an attacker to achieve arbitrary code execution in the context of the SGLang service by means of a specially crafted GPT-Generated Unified Format (GGUF) model file.
“An attacker exploits this vulnerability by creating a malicious GPT Generated Unified Format (GGUF) model file with a crafted tokenizer.chat_template parameter that contains a Jinja2 server-side template injection (SSTI) payload with a trigger phrase to activate the vulnerable code path,” CERT/CC said in an advisory released today.
“The victim then downloads and loads the model in SGLang, and when a request hits the “/v1/rerank” endpoint, the malicious template is rendered, executing the attacker’s arbitrary Python code on the server. This sequence of events enables the attacker to achieve remote code execution (RCE) on the SGLang server.”
Per security researcher Stuart Beck, who discovered and reported the flaw, the underlying issue stems from the use of jinja2.Environment() without sandboxing instead of ImmutableSandboxedEnvironment. This, in turn, enables a malicious model to execute arbitrary Python code on the inference server.
The entire sequence of actions is as follows –
- An attacker creates a GGUF model file with a malicious tokenizer.chat_template containing a Jinja2 SSTI payload
- The template includes the Qwen3 reranker trigger phrase to activate the vulnerable code path in “entrypoints/openai/serving_rerank.py”
- Victim downloads and loads the model in SGLang from sources like Hugging Face
- When a request hits the “/v1/rerank” endpoint, SGLang reads the chat_template and renders it with jinja2.Environment()
- The SSTI payload executes arbitrary Python code on the server
It’s worth noting that CVE-2026-5760 falls under the same vulnerability class as CVE-2024-34359 (aka Llama Drama, CVSS score: 9.7), a now-patched critical flaw in the llama_cpp_python Python package that could have resulted in arbitrary code execution. The same attack surface was also rectified in vLLM late last year (CVE-2025-61620, CVSS score: 6.5).
“To mitigate this vulnerability, it is recommended to use ImmutableSandboxedEnvironment instead of jinja2.Environment() to render the chat templates,” CERT/CC said. “This will prevent the execution of arbitrary Python code on the server. No…
Source link
Disclaimer
We strive to uphold the highest ethical standards in all of our reporting and coverage. We blogs.grocliq.com want to be transparent with our readers about any potential conflicts of interest that may arise in our work. It’s possible that some of the investors we feature may have connections to other businesses, including competitors or companies we write about. However, we want to assure our readers that this will not have any impact on the integrity or impartiality of our reporting. We are committed to delivering accurate, unbiased news and information to our audience, and we will continue to uphold our ethics and principles in all of our work. Thank you for your trust and support.
Website Upgradation is going on for any glitch kindly connect at [email protected]
