Endor Patches | CVE-2026-7301, SGLanG: Multimodal scheduler deserializes untrusted ...
Source: Endorlabs
Published:
<p>SGLang's multimodal generation runtime scheduler's ROUTER socket binds to 0.0.0.0 by default and contains a sink that calls pickle.loads() on incoming messages, enabling RCE when exposed to the internet.</p>