ГлавнаяУязвимости → CVE-2026-3059
9.8критическая

CVE-2026-3059

Описание

SGLang's multimodal generation module is vulnerable to unauthenticated remote code execution through the ZMQ broker, which deserializes untrusted data using pickle.loads() without authentication.

Затрагиваемое ПО
Lmsys Sglang
CVSS
Балл9.8 — критическая
ВекторCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Источники
https://github.com/sgl-project/sglang/blob/main/python/sglang/multimodal_gen/runtime/scheduler_client.pyhttps://github.com/sgl-project/sglang/pull/20904https://github.com/sgl-project/sglang/releases/tag/v0.5.10https://github.com/sgl-project/sglang/security/advisories/GHSA-3cp7-c6q2-94xrhttps://orca.security/resources/blog/sglang-llm-framework-rce-vulnerabilities/