VulnWatch VulnWatch
← Back to dashboard
Critical nvd · CVE-2026-7301

CVE-2026-7301: SGLangs multimodal generation runtime scheduler's ROUTER socket binds to 0.0.0.0 by default and contains a sink that cal

Published May 18, 2026 CVSS 9.8

SGLangs multimodal generation runtime scheduler's ROUTER socket binds to 0.0.0.0 by default and contains a sink that calls pickle.loads() on incoming messages, enabling RCE when exposed to the internet.

Remote Code Execution

Affected AI Products

sglang
View original source
Get the weekly digest. Every Monday: top AI security stories of the week. Free.