CVE-2026-3060

Name of the Vulnerable Software and Affected Versions SGLang versions (affected versions not specified)

Description The SGLang encoder parallel disaggregation system is susceptible to unauthenticated remote code execution. This occurs through the disaggregation module, which uses pickle.loads() to deserialize untrusted data without authentication. The pickle.loads() function is used to convert a byte stream into an object. This can lead to arbitrary code execution if the input data is malicious.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.