cbcvebase.
CVE-2026-7301
published 2026-05-18

CVE-2026-7301: SGLangs multimodal generation runtime scheduler's ROUTER socket binds to 0.0.0.0 by default and contains a sink that calls pickle.loads() on incoming messages…

PriorityP349critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
0.40%
31.8th percentile
SGLangs multimodal generation runtime scheduler's ROUTER socket binds to 0.0.0.0 by default and contains a sink that calls pickle.loads() on incoming messages, enabling RCE when exposed to the internet.

Affected

3 ranges
VendorProductVersion rangeFixed in
lmsyssglang
sglangsglang
sglangsglang0.5.5 – 0.5.12
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.