{"id":651,"date":"2026-04-20T18:58:26","date_gmt":"2026-04-20T18:58:26","guid":{"rendered":"https:\/\/thedigitalfortress.us\/?p=651"},"modified":"2026-04-20T18:58:26","modified_gmt":"2026-04-20T18:58:26","slug":"sglang-cve-2026-5760-cvss-9-8-enables-rce-via-malicious-gguf-model-files","status":"publish","type":"post","link":"https:\/\/thedigitalfortress.us\/?p=651","title":{"rendered":"SGLang CVE-2026-5760 (CVSS 9.8) Enables RCE via Malicious GGUF Model Files"},"content":{"rendered":"
\n

\ue804<\/i>Ravie Lakshmanan<\/span>\ue802<\/i>Apr 20, 2026<\/span><\/span>Open Source \/ Server Security<\/span><\/p>\n<\/div>\n

\n
<\/a><\/div>\n

A critical security vulnerability has been disclosed in SGLang <\/b>that, if successfully exploited, could result in remote code execution on susceptible systems.<\/p>\n

The vulnerability, tracked as CVE-2026-5760<\/a><\/strong>, carries a CVSS score of 9.8 out of 10.0. It has been described as a case of command injection leading to the execution of arbitrary code.<\/p>\n

SGLang<\/a> is a high-performance, open-source serving framework<\/a> for large language models and multimodal models. The official GitHub project has been forked over 5,500 times and starred 26,100 times.\u00a0<\/p>\n

According to the CERT Coordination Center (CERT\/CC), the vulnerability impacts the reranking endpoint \u00ab\/v1\/rerank,\u00bb allowing an attacker to achieve arbitrary code execution in the context of the SGLang service by means of a specially crafted GPT-Generated Unified Format (GGUF<\/a>) model file.<\/p>\n

\n
\"Cybersecurity\"<\/a><\/div>\n<\/div>\n

\u00abAn attacker exploits this vulnerability by creating a malicious GPT Generated Unified Format (GGUF) model file with a crafted tokenizer.chat_template parameter that contains a Jinja2 server-side template injection (SSTI<\/a>) payload with a trigger phrase to activate the vulnerable code path,\u00bb CERT\/CC said<\/a> in an advisory released today.<\/p>\n

\u00abThe victim then downloads and loads the model in SGLang, and when a request hits the \u00ab\/v1\/rerank\u00bb endpoint, the malicious template is rendered, executing the attacker’s arbitrary Python code on the server. This sequence of events enables the attacker to achieve remote code execution (RCE) on the SGLang server.\u00bb<\/p>\n

Per security researcher Stuart Beck, who discovered and reported the flaw<\/a>, the underlying issue stems from the use of jinja2.Environment() without sandboxing instead of ImmutableSandboxedEnvironment. This, in turn, enables a malicious model to execute arbitrary Python code on the inference server.<\/p>\n

The entire sequence of actions is as follows –<\/p>\n