CRITICAL 9.8

PYSEC-2026-537

SGLang's encoder parallel disaggregation system is vulnerable to unauthenticated remote code execution through the disaggregation module

상세

SGLang's encoder parallel disaggregation system is vulnerable to unauthenticated remote code execution through the disaggregation module, which deserializes untrusted data using pickle.loads() without authentication.

이 버전이 영향받나요?

사용 중인 패키지 버전을 입력하면 즉시 평가합니다.

영향 패키지

PyPI / sglang

최초 영향 버전: 0 수정 버전: 0.5.10

수정 pip install --upgrade 'sglang>=0.5.10'

참고

https://nvd.nist.gov/vuln/detail/CVE-2026-3060 [ADVISORY]
https://github.com/sgl-project/sglang/pull/20904 [WEB]
https://github.com/sgl-project/sglang [PACKAGE]
https://github.com/sgl-project/sglang/blob/main/python/sglang/srt/disaggregation/encode_receiver.py [WEB]
https://github.com/sgl-project/sglang/releases/tag/v0.5.10 [WEB]
https://orca.security/resources/blog/sglang-llm-framework-rce-vulnerabilities [WEB]
https://pypi.org/project/sglang [PACKAGE]
https://github.com/advisories/GHSA-jx93-g359-86wm [ADVISORY]