SGLang's multimodal generation module is vulnerable to unauthenticated remote code execution through the ZMQ broker, which deserializes untrusted data using pickle.loads() without authentication.
CVSS Score
9.8
EPSS Score
0.018
Published
2026-03-12
SGLang' encoder parallel disaggregation system is vulnerable to unauthenticated remote code execution through the disaggregation module, which deserializes untrusted data using pickle.loads() without authentication.
CVSS Score
9.8
EPSS Score
0.018
Published
2026-03-12