Critical Remote Code Execution Vulnerabilities in SGLangs Runtime
Ask AI about this cluster
Analyzing cluster data...
Referenced clusters:
Something went wrong. Please try again.
Cluster AI
Ask questions about this threat cluster with AI-powered analysis.
Get Researcher $29.99/moArticle Content
Two critical vulnerabilities, CVE-2026-7304 and CVE-2026-7301, have been identified in the SGLangs multimodal generation runtime. Both vulnerabilities, published on 2026-05-18, allow unauthenticated remote code execution (RCE) under specific conditions. CVE-2026-7304 exploits the --enable-custom-logit-processor option, where Python objects are deserialized without validation. CVE-2026-7301 involves the scheduler's ROUTER socket binding to 0.0.0.0 by default, allowing RCE when exposed to the internet. These vulnerabilities affect systems using SGLangs runtime, potentially impacting a wide range of applications. As of today, no patches or mitigations have been reported, leaving systems vulnerable to exploitation.
Key Points: • CVE-2026-7304 and CVE-2026-7301 allow unauthenticated remote code execution in SGLangs runtime. • Both vulnerabilities were published on 2026-05-18 and remain unpatched as of 2026-07-16. • Exploitation could lead to severe impacts on systems using the SGLangs multimodal generation runtime.