CRITICAL 9.8

PYSEC-2026-536

SGLanG: Multimodal scheduler deserializes untrusted pickle data on 0.0.0.0 ROUTER socket

Details

SGLang's multimodal generation runtime scheduler's ROUTER socket binds to 0.0.0.0 by default and contains a sink that calls pickle.loads() on incoming messages, enabling RCE when exposed to the internet.

Are you affected?

Enter the version of the package you're using.

Affected packages

PyPI / sglang

Introduced in: 0.5.5

No fixed version published yet for sglang (pip). Pin to a known-safe version or switch to an alternative.

References

https://nvd.nist.gov/vuln/detail/CVE-2026-7301 [ADVISORY]
https://antiproof.ai/blog/three-rces-in-sglang [WEB]
https://github.com/sgl-project/sglang [PACKAGE]
https://github.com/sgl-project/sglang/tree/main/python/sglang [WEB]
https://pypi.org/project/sglang [PACKAGE]
https://github.com/advisories/GHSA-gwv6-pq6m-p3rq [ADVISORY]