CVE-2026-5760

Name of the Vulnerable Software and Affected Versions SGLang (affected versions not specified)

Description An issue in the '/v1/rerank' endpoint allows remote code execution when a model file containing a malicious tokenizer.chat template is loaded. This occurs because Jinja2 chat templates are rendered using an unsandboxed jinja2.Environment(), leading to server-side template injection (SSTI). An attacker can craft a malicious GPT-Generated Unified Format (GGUF) model file with an SSTI payload and upload it to public repositories. When a victim integrates this model and an unauthenticated POST request is sent to the '/v1/rerank' endpoint, arbitrary Python code is executed on the server host with the privileges of the SGLang service. This issue has been reported as being actively exploited in the wild.

Recommendations Replace jinja2.Environment() with jinja2.sandbox.ImmutableSandboxedEnvironment() in all template rendering components within the SGLang source code. Avoid loading models from untrusted or unverified sources. Restrict internet access for inference servers to prevent unauthorized requests to the '/v1/rerank' endpoint.