Vulnerability Details CVE-2026-3059
SGLang's multimodal generation module is vulnerable to unauthenticated remote code execution through the ZMQ broker, which deserializes untrusted data using pickle.loads() without authentication.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.018
EPSS Ranking 83.1%
CVSS Severity
CVSS v3 Score 9.8
References
- https://github.com/sgl-project/sglang/blob/main/python/sglang/multimodal_gen/runtime/scheduler_client.py
- https://github.com/sgl-project/sglang/pull/20904
- https://github.com/sgl-project/sglang/releases/tag/v0.5.10
- https://github.com/sgl-project/sglang/security/advisories/GHSA-3cp7-c6q2-94xr
- https://orca.security/resources/blog/sglang-llm-framework-rce-vulnerabilities/
Products affected by CVE-2026-3059
-
cpe:2.3:a:lmsys:sglang:0.5.5
-
cpe:2.3:a:lmsys:sglang:0.5.6
-
cpe:2.3:a:lmsys:sglang:0.5.7
-
cpe:2.3:a:lmsys:sglang:0.5.8
-
cpe:2.3:a:lmsys:sglang:0.5.9