Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
9.8
CVE-2026-7304: SGLangs multimodal generation runtime allows unauthenticated remote code execution
CVE-2026-7304
GHSA-36m8-w8qf-g76p
Summary
A vulnerability in SGLangs allows attackers to run malicious code on a server without being authenticated. This is possible when a specific option is enabled. To stay safe, update SGLangs to the latest version and disable the option unless necessary.
What to do
No fix is available yet. Check with your software vendor for updates.
Affected software
| Ecosystem | Vendor | Product | Affected versions |
|---|---|---|---|
| pip | – | sglang | >= 0.4.1.post7, <= 0.5.12 |
Original title
SGLang: Unauthenticated RCE via --enable-custom-logit-processor
Original description
SGLang's multimodal generation runtime is vulnerable to unauthenticated remote code execution when the --enable-custom-logit-processor option is enabled, as Python objects loaded via dill.loads() will be deserialized without validation.
Vulnerability type
CWE-502
Deserialization of Untrusted Data
Published: 18 May 2026 · Updated: 30 May 2026 · First seen: 18 May 2026