Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
9.8
SGLang Multimodal Module Allows Remote Code Execution
CVE-2026-3059
GHSA-rgq9-fqf5-fv58
Summary
An attacker can execute arbitrary code on your server without a password. This is a serious risk because an attacker could access sensitive data or take control of your server. You should update SGLang to the latest version to fix this vulnerability.
What to do
No fix is available yet. Check with your software vendor for updates.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| – | sglang | <= 0.5.9 | – |
Original title
SGLang's multimodal generation module is vulnerable to unauthenticated remote code execution through the ZMQ broker
Original description
SGLang's multimodal generation module is vulnerable to unauthenticated remote code execution through the ZMQ broker, which deserializes untrusted data using pickle.loads() without authentication.
Vulnerability type
CWE-502
Deserialization of Untrusted Data
- https://github.com/sgl-project/sglang/blob/main/python/sglang/multimodal_gen/run...
- https://github.com/sgl-project/sglang/security/advisories/GHSA-3cp7-c6q2-94xr
- https://orca.security/resources/blog/sglang-llm-framework-rce-vulnerabilities/
- https://nvd.nist.gov/vuln/detail/CVE-2026-3059
- https://orca.security/resources/blog/sglang-llm-framework-rce-vulnerabilities
- https://github.com/advisories/GHSA-rgq9-fqf5-fv58
Published: 12 Mar 2026 · Updated: 13 Mar 2026 · First seen: 12 Mar 2026