CVE-2026-5760

Name of the Vulnerable Software and Affected Versions SGLang (affected versions not specified)

Description Remote code execution can be achieved via the '/v1/rerank' API endpoint when a model file containing a malicious tokenizer.chat template is loaded. This occurs because Jinja2 chat templates are rendered using an unsandboxed jinja2.Environment(), leading to server-side template injection (SSTI). An attacker can craft a malicious GGUF model file with a Jinja2 SSTI payload in the chat template and upload it to a repository. When a victim integrates this model and an unauthenticated POST request is made to the '/v1/rerank' endpoint, arbitrary Python code is executed on the server. This issue is specifically linked to the chat template phrasing in Qwen3 rerankers and the code located in 'entrypoints/openai/serving rerank.py'.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability. As a temporary workaround, use ImmutableSandboxedEnvironment instead of the unsandboxed environment for rendering templates. Avoid loading AI models from untrusted sources.