CVE-2026-3060
🔴 Łataj teraz
Deserializacja niezaufanych danych w systemie SGLang umożliwia zdalne wykonanie kodu bez uwierzytelnienia.
CVSS
9.8
EPSS
1.3%
Exploit
poc
Vendor
lmsys
Opis źródłowy (NVD)
SGLang' encoder parallel disaggregation system is vulnerable to unauthenticated remote code execution through the disaggregation module, which deserializes untrusted data using pickle.loads() without authentication.
exploit rce
Brak patcha
Źródła i daty
| Źródło | Wartość |
|---|---|
| NVD – CVSS | 9.8 |
| CISA KEV (aktywnie wykorzystywane) | Nie |
| FIRST EPSS (prawdopodobieństwo exploita) | 1.3% |
| Opublikowano (NVD) | 2026-03-12 12:15:59 UTC |
| Ostatnia modyfikacja (NVD) | 2026-04-07 19:16:47 UTC |
Referencje
- https://github.com/sgl-project/sglang/blob/main/python/sglang/srt/disaggregation/encode_receiver.py (cret@cert.org) [Product]
- https://github.com/sgl-project/sglang/pull/20904 (cret@cert.org)
- https://github.com/sgl-project/sglang/releases/tag/v0.5.10 (cret@cert.org)
- https://orca.security/resources/blog/sglang-llm-framework-rce-vulnerabilities/ (cret@cert.org) [Exploit, Mitigation, Third Party Advisory]