Vulnerability tracker

The multimodal generation runtime scheduler's ROUTER socket calls pickle.loads() on incoming messages, enabling RCE when exposed to the internet.

This is a different socket from the ZeroMQ broker covered by CVE-2026-3059, which binds to all network interfaces unconditionally. The scheduler ROUTER socket follows the configured --host, which defaults to 127.0.0.1, and is exposed when SGLang is run with --host 0.0.0.0 to serve remote clients.

Severity: CVSS 3.1 9.8
Preconditions: SGLang multimodal generation runtime serving a diffusion model. Network access to the scheduler ROUTER port, exposed when SGLang is run with --host 0.0.0.0. No authentication required.
Impact: Unauthenticated remote code execution as the SGLang process user. Full host compromise.

View CVE Blog post

The multimodal generation runtime accepts file uploads on /v1/images/edits and /v1/videos and uses the client-supplied multipart filename as a filesystem path component without sanitization. A filename containing ../ writes arbitrary files anywhere the server process can write.

Severity: CVSS 3.1 9.1
Preconditions: SGLang multimodal generation runtime. HTTP access to /v1/images/edits or /v1/videos. No authentication required.
Impact: Arbitrary file write as the SGLang process user. Typically promotes to remote code execution (cron, systemd unit, SSH authorized_keys, Python site-packages).

View CVE Blog post

SGLang's serving runtime accepts a hex-encoded dill payload in the custom_logit_processor field and deserializes it via dill.loads() without validation. When --enable-custom-logit-processor is set, any client that can reach a generation endpoint can execute code on the host.

Severity: CVSS 3.1 9.8
Preconditions: Server started with --enable-custom-logit-processor (recommended in the SGLang docs for DeepSeek-R1 and GLM-4). HTTP access to any generation endpoint. No authentication required.
Impact: Unauthenticated remote code execution as the SGLang process user. Full host compromise.

View CVE Blog post

The multimodal generation runtime starts a ZeroMQ broker that binds a REP socket on all network interfaces (tcp://*:{server_port + 1}) and calls pickle.loads() on every incoming message. The broker is exposed unconditionally regardless of the --host setting.

Antiproof found this vulnerability independently, and we responsibly disclosed it to the SGLang team on 2026-03-10. On 2026-03-11, Orca Security published a blog post covering the same vulnerability, tracked as CVE-2026-3059 and credited to Orca.

Preconditions: SGLang multimodal generation runtime serving a diffusion model. Network access to the broker port (server_port + 1), exposed by default. No authentication required.
Impact: Unauthenticated remote code execution as the SGLang process user.

View CVE Orca blog post Our note

Ray Data's custom Arrow extension types pass deserialization metadata directly to cloudpickle.loads(), so reading a crafted Parquet file that carries such an extension type runs arbitrary code on the worker that processes it.

Severity: CVSS 3.1 8.8 CVSS 4.0 8.9
Preconditions: A Ray Data workload that reads attacker-controlled Parquet files, such as a dataset pulled from Hugging Face. Affects ray ≥ 2.49.0, < 2.55.0. Patched in 2.55.0.
Impact: Remote code execution on the Ray cluster.

View CVE GitHub advisory

Reserved Ray Remote code execution Under embargo

Reserved LiteLLM Remote code execution Under embargo

Reserved LiteLLM Arbitrary file read Under embargo

Reserved vLLM Remote code execution Under embargo

Reserved PyTorch Out-of-bounds write Under embargo