High-Severity Flaw in SGLang Framework Opens Servers to Code Execution via Model Files

A newly identified security weakness in the popular SGLang framework could allow attackers to run their own code on servers using the software. The issue, designated CVE-2026-5760, has received a near-maximum severity rating of 9.8.

SGLang is an open-source system designed for efficiently running large language and multimodal models, with significant adoption in the developer community. The vulnerability resides in the framework's reranking function. According to an advisory from the CERT Coordination Center, an attacker can craft a malicious model file in the common GGUF format. This file contains a rigged template parameter that, when processed by the server, injects and executes Python commands.

The attack sequence requires a user to download and load the harmful model, likely from a public repository. When the SGLang server's "/v1/rerank" endpoint is used, the framework processes the malicious template using an unsafe method—`jinja2.Environment()` without protective sandboxing. This directly enables remote code execution on the host system.

Security researcher Stuart Beck, who found the flaw, notes the fix is conceptually straightforward: developers should switch to using `ImmutableSandboxedEnvironment` to render templates, which would block the arbitrary code execution. This class of vulnerability has appeared before in similar AI inference tools, including llama_cpp_python and vLLM, suggesting a recurring pattern in how these systems handle untrusted model data. As of the advisory's publication, no official patch from the SGLang project was available.

Source: The Hackers News