Sglang · Sglang · CVE-2026-3989
**Name of the Vulnerable Software and Affected Versions**
SGLangs versions prior to the fix included in CVE-2026-3989
**Description**
The `replay request dump.py` script within SGLangs contains an insecure `pickle.load()` function that lacks validation and proper deserialization. An attacker can exploit this by providing a malicious `.pkl` file, which will execute the attacker's code on the affected device. The vulnerable function is `pickle.load()`. The script processes the `.pkl` file without verifying its contents, allowing for arbitrary code execution.
**Recommendations**
At the moment, there is no information about a newer version that contains a fix for this vulnerability.