EXECUTIVE SUMMARY:
A critical security vulnerability has been discovered CVE-2026-5760 in the SGLang framework that enables remote code execution through improper handling of model files. The flaw resides in the /v1/rerank endpoint, where specially crafted GGUF model files containing a malicious tokenizer.chat_template can trigger server-side template injection via Jinja2. Due to the use of an unsandboxed template rendering environment, attackers can execute arbitrary Python code when the model is loaded and processed, leading to full system compromise. Successful exploitation requires minimal effort, as it can be performed without authentication or user interaction, and may result in severe impacts such as unauthorized access, data exfiltration, lateral movement, or service disruption. The vulnerability has a CVSS score of 9.8.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY:
A critical security vulnerability has been discovered CVE-2026-5760 in the SGLang framework that enables remote code execution through improper handling of model files. The flaw resides in the /v1/rerank endpoint, where specially crafted GGUF model files containing a malicious tokenizer.chat_template can trigger server-side template injection via Jinja2. Due to the use of an unsandboxed template rendering environment, attackers can execute arbitrary Python code when the model is loaded and processed, leading to full system compromise. Successful exploitation requires minimal effort, as it can be performed without authentication or user interaction, and may result in severe impacts such as unauthorized access, data exfiltration, lateral movement, or service disruption. The vulnerability has a CVSS score of 9.8.[emaillocker id="1283"]
RECOMMENDATION:
We recommend you to update SGLang to below version: https://github.com/sgl-project/sglang/releases
REFERENCES:
The following reports contain further technical details:
https://thehackernews.com/2026/04/sglang-cve-2026-5760-cvss-98-enables.html