A critical command-injection vulnerability (CVE-2026-5760, CVSS 9.8) in SGLang’s /v1/rerank endpoint can be exploited via a malicious GGUF model containing a Jinja2 SSTI payload to achieve remote code execution. CERT/CC and the discovering researcher recommend rendering templates with ImmutableSandboxedEnvironment instead of jinja2.Environment() to mitigate the issue, and no patch response was obtained during coordination. #SGLang #CVE-2026-5760
Keypoints
- CVE-2026-5760 is a critical command-injection flaw (CVSS 9.8) affecting SGLang’s /v1/rerank endpoint.
- An attacker can craft a GGUF model with a malicious tokenizer.chat_template containing a Jinja2 SSTI payload.
- Rendering the template with jinja2.Environment() allows the SSTI to execute arbitrary Python code, enabling remote code execution.
- Security researcher Stuart Beck reported the flaw and CERT/CC advised using ImmutableSandboxedEnvironment as a mitigation.
- SGLang is widely used and models can be loaded from sources like Hugging Face, making timely mitigation important.
Read More: https://thehackernews.com/2026/04/sglang-cve-2026-5760-cvss-98-enables.html