CVE-2026-3059

Name of the Vulnerable Software and Affected Versions SGLang (affected versions not specified)

Description The SGLang multimodal generation module is susceptible to unauthenticated remote code execution. This occurs through the ZMQ broker, which deserializes untrusted data using the pickle.loads() function without authentication. The pickle.loads() function is used to convert a byte stream into an object, and in this case, it processes data from an untrusted source, potentially allowing an attacker to execute arbitrary code on the system. The vulnerable component is the ZMQ broker.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.