CVE-2026-5760

Name of the Vulnerable Software and Affected Versions SGLang (affected versions not specified)

Description An issue in the SGLang high-performance LLM serving framework allows remote code execution. The flaw exists in the serving rerank.py file, specifically within the /v1/rerank endpoint. The system uses an unsandboxed jinja2.Environment() to render tokenizer chat templates from model files, such as those in GPT-Generated Unified Format (GGUF). An attacker can craft a malicious GGUF model file containing a Server-Side Template Injection (SSTI) payload in the tokenizer.chat template and upload it to a public repository. When a user loads this model and an unauthenticated POST request is sent to the /v1/rerank endpoint, the malicious template is rendered, leading to arbitrary Python code execution on the server with the privileges of the SGLang service.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability. Replace jinja2.Environment() with jinja2.sandbox.ImmutableSandboxedEnvironment() in all template rendering components. Avoid loading models from untrusted sources. Restrict access to the /v1/rerank endpoint to minimize the risk of exploitation.