cbcvebase.
CVE-2026-5760
published 2026-04-20

CVE-2026-5760: SGLang's reranking endpoint (/v1/rerank) achieves Remote Code Execution (RCE) when a model file containing a malcious tokenizer.chat_template is loaded, as the…

PriorityP260critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
0.85%
53.6th percentile
SGLang's reranking endpoint (/v1/rerank) achieves Remote Code Execution (RCE) when a model file containing a malcious tokenizer.chat_template is loaded, as the Jinja2 chat templates are rendered using an unsandboxed jinja2.Environment().

Affected

2 ranges
VendorProductVersion rangeFixed in
lmsyssglang< 0.5.110.5.11
sglangsglang

Detection & IOCsextracted from sources · hover to see the quote

pathentrypoints/openai/serving_rerank.py
  • Monitor HTTP requests to the /v1/rerank endpoint for SSTI payloads characteristic of Jinja2 template injection (e.g., expressions using {{ }}, __class__, __mro__, __subclasses__, os.system, subprocess, etc.).
  • Detect loading of GGUF model files containing a crafted tokenizer.chat_template field with Jinja2 SSTI payload content — flag model files where tokenizer.chat_template includes Python execution constructs.
  • Alert on SGLang processes spawning unexpected child processes or shell commands, which may indicate successful SSTI-based RCE via the reranking endpoint.
  • Flag use of jinja2.Environment() (unsandboxed) in SGLang source code or runtime imports, as opposed to ImmutableSandboxedEnvironment, as an indicator of the vulnerable code path being active.
  • Monitor model download activity from Hugging Face or similar repositories for GGUF files; correlate with subsequent /v1/rerank traffic to identify potential exploitation chains.
  • ·The vulnerable code path is specifically triggered by the Qwen3 reranker trigger phrase within the tokenizer.chat_template; exploitation requires the victim to load a malicious GGUF model file — the attack is not purely network-based without the model loading step.
  • ·No patch was available at time of disclosure; CERT/CC confirmed no response or patch was obtained during the coordination process, meaning all SGLang deployments using the /v1/rerank endpoint remain at risk.
  • ·The vulnerability is in the reranking endpoint only (/v1/rerank); other SGLang endpoints are not described as directly vulnerable via this specific attack vector.
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.