CVE-2026-3059
published 2026-03-12CVE-2026-3059: SGLang's multimodal generation module is vulnerable to unauthenticated remote code execution through the ZMQ broker, which deserializes untrusted data using…
PriorityP273critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
1.53%
71.7th percentile
SGLang's multimodal generation module is vulnerable to unauthenticated remote code execution through the ZMQ broker, which deserializes untrusted data using pickle.loads() without authentication.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| huggingface | transformers | >= 0 < 5.0.0rc3 | 5.0.0rc3 |
| lmsys | sglang | 0.5.5 – 0.5.9 | — |
| sglang | sglang | — | — |
| sglang | sglang | >= 0 < 0.5.10 | 0.5.10 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
HuggingFace Transformers allows for arbitrary code execution in the `Trainer` class
ghsa·2026-04-07
CVE-2026-1839 [MEDIUM] CWE-502 HuggingFace Transformers allows for arbitrary code execution in the `Trainer` class
HuggingFace Transformers allows for arbitrary code execution in the `Trainer` class
A vulnerability in the HuggingFace Transformers library, specifically in the `Trainer` class, allows for arbitrary code execution. The `_load_rng_state()` method in `src/transformers/trainer.py` at line 3059 calls `torch.load()` without the `weights_only=True` parameter. This issue affects all versions of the library supporting `torch>=2.2` when used with PyTorch versions below 2.6, as the `safe_globals()` context manager provides no protection in these versions. An attacker can exploit this vulnerability by supplying a malicious checkpoint file, such as `rng_state.pth`, which can execute arbitrary code when loaded. The issue is resolved in version v5.0.0rc3.
GHSA
SGLang's multimodal generation module is vulnerable to unauthenticated remote code execution through the ZMQ broker
ghsa·2026-03-12
CVE-2026-3059 [CRITICAL] CWE-502 SGLang's multimodal generation module is vulnerable to unauthenticated remote code execution through the ZMQ broker
SGLang's multimodal generation module is vulnerable to unauthenticated remote code execution through the ZMQ broker
SGLang's multimodal generation module is vulnerable to unauthenticated remote code execution through the ZMQ broker, which deserializes untrusted data using pickle.loads() without authentication.
OSV
SGLang's multimodal generation module is vulnerable to unauthenticated remote code execution through the ZMQ broker
osv·2026-03-12
CVE-2026-3059 [CRITICAL] SGLang's multimodal generation module is vulnerable to unauthenticated remote code execution through the ZMQ broker
SGLang's multimodal generation module is vulnerable to unauthenticated remote code execution through the ZMQ broker
SGLang's multimodal generation module is vulnerable to unauthenticated remote code execution through the ZMQ broker, which deserializes untrusted data using pickle.loads() without authentication.
No detection rules found.
No public exploits indexed.
Wiz
CVE-2026-3059 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-3059 [CRITICAL] CVE-2026-3059 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-3059 :
Python vulnerability analysis and mitigation
SGLang's multimodal generation module is vulnerable to unauthenticated remote code execution through the ZMQ broker, which deserializes untrusted data using pickle.loads() without authentication.
Source : NVD
## 9.8
Score
Published March 12, 2026
Severity CRITICAL
CNA Score 9.8
Affected Technologies
Python
SGLang
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 78.5
Exploitation Probability (EPSS) 1.2
Affected packages and libraries
sglang
cpe:2.3:a:lmsys:sglang
Sources
pip Severity CRITICAL No Fix Added at: Mar 12, 2026
Linux Severity CRITICAL No Fix Added at: Apr 02, 2026
Windows Severity CRITICAL No Fix Added a
Bugzilla
CVE-2026-1839 transformers: HuggingFace Transformers: Arbitrary code execution via malicious checkpoint file
bugzilla·2026-04-07·CVSS 6.5
CVE-2026-1839 [MEDIUM] CVE-2026-1839 transformers: HuggingFace Transformers: Arbitrary code execution via malicious checkpoint file
CVE-2026-1839 transformers: HuggingFace Transformers: Arbitrary code execution via malicious checkpoint file
A vulnerability in the HuggingFace Transformers library, specifically in the `Trainer` class, allows for arbitrary code execution. The `_load_rng_state()` method in `src/transformers/trainer.py` at line 3059 calls `torch.load()` without the `weights_only=True` parameter. This issue affects all versions of the library supporting `torch>=2.2` when used with PyTorch versions below 2.6, as the `safe_globals()` context manager provides no protection in these versions. An attacker can exploit this vulnerability by supplying a malicious checkpoint file, such as `rng_state.pth`, which can execute arbitrary code when loaded. The issue is resolved in version v5.0.0rc3.
https://github.com/sgl-project/sglang/blob/main/python/sglang/multimodal_gen/runtime/scheduler_client.pyhttps://github.com/sgl-project/sglang/pull/20904https://github.com/sgl-project/sglang/releases/tag/v0.5.10https://github.com/sgl-project/sglang/security/advisories/GHSA-3cp7-c6q2-94xrhttps://orca.security/resources/blog/sglang-llm-framework-rce-vulnerabilities/
2026-03-12
Published