pkg:PyPI/sglang

8 total CVEsCRITICAL5HIGH2MEDIUM1

✅ Check your installed version

All known vulnerabilities

  • CRITICAL9.8CVE-2026-7304SGLang: Unauthenticated RCE via --enable-custom-logit-processor
    >= 0.4.1.post7, <= 0.5.12
  • CRITICAL9.8CVE-2026-7301SGLanG: Multimodal scheduler deserializes untrusted pickle data on 0.0.0.0 ROUTER socket
    >= 0.5.5, <= 0.5.12
  • CRITICAL9.8CVE-2026-3059SGLang's multimodal generation module is vulnerable to unauthenticated remote code execution through the ZMQ broker
    from 0, < 0.5.10
  • CRITICAL9.8CVE-2026-3060SGLang's encoder parallel disaggregation system is vulnerable to unauthenticated remote code execution through the disaggregation module
    from 0, < 0.5.10
  • CRITICAL9.1CVE-2026-7302SGLang's multimodal generation runtime has an unauthenticated path traversal vulnerability
    >= 0.5.5, <= 0.5.12
  • HIGH7.8CVE-2026-3989SGLangs `replay_request_dump.py` contains an insecure pickle.load() without validation and proper deserialization
    from 0, < 0.5.10
  • HIGH7.3CVE-2025-10164SGLang Remote Code Execution Vulnerability via Unsafe Deserialization in update_weights_from_tensor
    from 0, < 0.5.4
  • MEDIUM5.6CVE-2026-7669SGLang has an Improper Input Validation/Injection Issue
    from 0, <= 0.5.9