A critical security vulnerability has been discovered in SGLang that could lead to remote code execution on vulnerable systems.
The vulnerability, identified as CVE-2026-5760, has a CVSS score of 9.8 and is classified as a command injection flaw that allows for arbitrary code execution.
SGLang is an open-source serving framework designed for large language models and multimodal models. The project on GitHub has garnered significant attention with over 5,500 forks and 26,100 stars.
According to CERT Coordination Center (CERT/CC), the vulnerability affects the “/v1/rerank” endpoint, enabling attackers to execute arbitrary code by exploiting a specially crafted GGUF model file.
CERT/CC explained, “An attacker can exploit this vulnerability by creating a malicious GGUF model file with a crafted tokenizer.chat_template parameter that includes a Jinja2 SSTI payload. When the victim downloads and loads the model in SGLang, the malicious template triggers the execution of the attacker’s Python code on the server, leading to remote code execution.”
Security researcher Stuart Beck, who discovered the flaw, highlighted that the issue arises from using jinja2.Environment() without sandboxing, allowing malicious models to execute arbitrary Python code.
The attack involves creating a malicious GGUF model file, including a Jinja2 SSTI payload, downloading the model, triggering the vulnerable code path, and executing Python code on the server.
The vulnerability (CVE-2026-5760) is similar to CVE-2024-34359 (Llama Drama) and CVE-2025-61620 (vLLM), both addressing critical flaws that could result in arbitrary code execution. To mitigate the issue, it is advised to use ImmutableSandboxedEnvironment instead of jinja2.Environment() to render chat templates.
