CVEDB API

Vulnerabilities

By Date
Known Exploited
Advanced Search

Vulnerable Software

Vendors
Products

Vulnerability Details CVE-2026-3060

SGLang' encoder parallel disaggregation system is vulnerable to unauthenticated remote code execution through the disaggregation module, which deserializes untrusted data using pickle.loads() without authentication.

Exploit prediction scoring system (EPSS) score

EPSS Score 0.018

EPSS Ranking 83.1%

CVSS Severity

CVSS v3 Score 9.8

References

https://github.com/sgl-project/sglang/blob/main/python/sglang/srt/disaggregation/encode_receiver.py
https://github.com/sgl-project/sglang/pull/20904
https://github.com/sgl-project/sglang/releases/tag/v0.5.10
https://orca.security/resources/blog/sglang-llm-framework-rce-vulnerabilities/

Products affected by CVE-2026-3060

Lmsys » Sglang » Version: 0.5.5

cpe:2.3:a:lmsys:sglang:0.5.5
Lmsys » Sglang » Version: 0.5.6

cpe:2.3:a:lmsys:sglang:0.5.6
Lmsys » Sglang » Version: 0.5.7

cpe:2.3:a:lmsys:sglang:0.5.7
Lmsys » Sglang » Version: 0.5.8

cpe:2.3:a:lmsys:sglang:0.5.8
Lmsys » Sglang » Version: 0.5.9

cpe:2.3:a:lmsys:sglang:0.5.9

Vulnerabilities

Vulnerable Software

Vulnerability Details CVE-2026-3060

Products

Pricing

Contact Us