CVE-2026-5760
published 2026-04-20CVE-2026-5760: SGLang's reranking endpoint (/v1/rerank) achieves Remote Code Execution (RCE) when a model file containing a malcious tokenizer.chat_template is loaded, as the…
PriorityP260critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
0.85%
53.6th percentile
SGLang's reranking endpoint (/v1/rerank) achieves Remote Code Execution (RCE) when a model file containing a malcious tokenizer.chat_template is loaded, as the Jinja2 chat templates are rendered using an unsandboxed jinja2.Environment().
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| lmsys | sglang | < 0.5.11 | 0.5.11 |
| sglang | sglang | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor HTTP requests to the /v1/rerank endpoint for SSTI payloads characteristic of Jinja2 template injection (e.g., expressions using {{ }}, __class__, __mro__, __subclasses__, os.system, subprocess, etc.). ↗
- →Detect loading of GGUF model files containing a crafted tokenizer.chat_template field with Jinja2 SSTI payload content — flag model files where tokenizer.chat_template includes Python execution constructs. ↗
- →Alert on SGLang processes spawning unexpected child processes or shell commands, which may indicate successful SSTI-based RCE via the reranking endpoint. ↗
- →Flag use of jinja2.Environment() (unsandboxed) in SGLang source code or runtime imports, as opposed to ImmutableSandboxedEnvironment, as an indicator of the vulnerable code path being active. ↗
- →Monitor model download activity from Hugging Face or similar repositories for GGUF files; correlate with subsequent /v1/rerank traffic to identify potential exploitation chains. ↗
- ·The vulnerable code path is specifically triggered by the Qwen3 reranker trigger phrase within the tokenizer.chat_template; exploitation requires the victim to load a malicious GGUF model file — the attack is not purely network-based without the model loading step. ↗
- ·No patch was available at time of disclosure; CERT/CC confirmed no response or patch was obtained during the coordination process, meaning all SGLang deployments using the /v1/rerank endpoint remain at risk. ↗
- ·The vulnerability is in the reranking endpoint only (/v1/rerank); other SGLang endpoints are not described as directly vulnerable via this specific attack vector. ↗
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
sglang 0.59 Reranking Endpoint /v1/rerank jinja2.Environment special elements used in a template engine
vuldb·2026-04-20·CVSS 9.8
CVE-2026-5760 [CRITICAL] sglang 0.59 Reranking Endpoint /v1/rerank jinja2.Environment special elements used in a template engine
A vulnerability classified as critical has been found in sglang 0.59. This impacts the function jinja2.Environment of the file /v1/rerank of the component Reranking Endpoint. The manipulation leads to improper neutralization of special elements used in a template engine.
This vulnerability is documented as CVE-2026-5760. The attack can be initiated remotely. There is not any exploit available.
GHSA
GHSA-2wm4-697g-pfq8: SGLang's reranking endpoint (/v1/rerank) achieves Remote Code Execution (RCE) when a model file containing a malcious tokenizer
ghsa_unreviewed·2026-04-20
CVE-2026-5760 [CRITICAL] CWE-94 GHSA-2wm4-697g-pfq8: SGLang's reranking endpoint (/v1/rerank) achieves Remote Code Execution (RCE) when a model file containing a malcious tokenizer
SGLang's reranking endpoint (/v1/rerank) achieves Remote Code Execution (RCE) when a model file containing a malcious tokenizer.chat_template is loaded, as the Jinja2 chat templates are rendered using an unsandboxed jinja2.Environment().
No detection rules found.
No public exploits indexed.
Hackernews
⚡ Weekly Recap: Fast16 Malware, XChat Launch, Federal Backdoor, AI Employee Tracking & More
blogs_hackernews·2026-04-27
CVE-2025-20333 ⚡ Weekly Recap: Fast16 Malware, XChat Launch, Federal Backdoor, AI Employee Tracking & More
Home
Threat Intelligence
Vulnerabilities
Cyber Attacks
Webinars
Expert Insights
Awards
Webinars
Awards
Free eBooks
About THN
Jobs
Advertise with us
## ⚡ Weekly Recap: Fast16 Malware, XChat Launch, Federal Backdoor, AI Employee Tracking & More
Everything is dumb again. This week feels broken in a very familiar way. Old tricks are back. New tools are doing shady crap. Supply chains got hit. Fake help desks worked. Weird research showed how easy some attacks still are.
Most of it feels like stuff we should have fixed years ago. Bad extensions. Stolen creds. Remote tools are getting abused. Malware hides in places people trust. Same mess, cleaner packaging.
Coffee is cold. The vuln list is ugly. Let’s get into it.
## ⚡ Threat of the Week
New fast16 Malware Was Developed Y
Hackernews
SGLang CVE-2026-5760 (CVSS 9.8) Enables RCE via Malicious GGUF Model Files
blogs_hackernews·2026-04-20·CVSS 9.8
CVE-2026-5760 [CRITICAL] SGLang CVE-2026-5760 (CVSS 9.8) Enables RCE via Malicious GGUF Model Files
Home
Threat Intelligence
Vulnerabilities
Cyber Attacks
Webinars
Expert Insights
Awards
Webinars
Awards
Free eBooks
About THN
Jobs
Advertise with us
## SGLang CVE-2026-5760 (CVSS 9.8) Enables RCE via Malicious GGUF Model Files
A critical security vulnerability has been disclosed in SGLang that, if successfully exploited, could result in remote code execution on susceptible systems.
The vulnerability, tracked as CVE-2026-5760 , carries a CVSS score of 9.8 out of 10.0. It has been described as a case of command injection leading to the execution of arbitrary code.
SGLang is a high-performance, open-source serving framework for large language models and multimodal models. The official GitHub project has been forked over 5,500 times and starred 26,100 times.
According to the
2026-04-20
Published