A critical vulnerability in SGLang can allow remote code execution on affected systems, with the flaw tracked as CVE-2026-5760 and rated 9.8 out of 10, according to a technical advisory from CERT Coordination Center released today.
KEY FACTS
- Impact The flaw can lead to arbitrary code execution in the context of the SGLang service.
- Affected endpoint The issue affects the
/v1/rerankendpoint. - Attack method A specially crafted GGUF model file can carry a malicious template payload.
- Root cause The disclosure says the problem stems from use of unsandboxed Jinja2 rendering.
- Mitigation CERT/CC said to use ImmutableSandboxedEnvironment instead of jinja2.Environment().
SGLang is an open-source serving framework for large language models and multimodal models. The project has been forked more than 5,500 times and starred 26,100 times on GitHub.
The advisory said an attacker could create a malicious GGUF model file with a crafted taggerizer.chat_template parameter that contains a Jinja2 server-side template injection payload. When a victim loads the model and sends a request to the rerank endpoint, the template is rendered and the payload can execute Python code on the server.
Security researcher Stuart Beck said the underlying issue is the use of jinja2.Environment() without sandboxing instead of ImmutableSandboxedEnvironment. The report said the same attack surface has been fixed in other projects, including a vLLM advisory and a previously patched flaw in llama_cpp_python.
CERT/CC said no response or patch was obtained during coordination. The disclosure also said the attack works only if a victim downloads and loads a malicious model and then receives a request that reaches the vulnerable endpoint.
WHY IT MATTERS
The flaw could let a malicious model turn an inference server into a remote execution target, which raises risk for systems that load third-party models. The advisory recommends sandboxed template rendering to reduce the chance of arbitrary code running on the server.