SGLang CVE-2026-5760 (CVSS 9.8) Enables RCE via Malicious GGUF Model Files
Summary
A critical remote code execution (RCE) vulnerability, tracked as CVE-2026-5760, has been discovered in SGLang. This flaw allows attackers to execute arbitrary code by crafting malicious GGUF model files. The vulnerability has a high severity rating with a CVSS score of 9.8.
IFF Assessment
The discovery of a critical RCE vulnerability with a high CVSS score poses a significant threat to defenders, as it allows for the execution of arbitrary code.
Severity
The CVSS score of 9.8 indicates a critical vulnerability that is highly exploitable and can lead to severe impact. The 'command injection' leading to 'arbitrary code execution' suggests a broad attack surface and significant compromise potential.
Defender Context
Defenders need to be aware of this critical vulnerability in SGLang and prioritize patching or implementing mitigations immediately. The ability to trigger RCE via model files highlights the growing security concerns around the supply chain for AI and ML models.