CVE-2026-10775
3.6 LOWA vulnerability was determined in sgl-project SGLang up to 0.5.11
Published: 2026-06-03 · Last updated: 2026-06-10
Severity and scoring
- CVSS
- 3.6 LOW
- Vector
- CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:L
- CWE
- CWE-404
Affected products
| Vendor | Product |
|---|---|
| lmsys | sglang |
Description
A vulnerability was determined in sgl-project SGLang up to 0.5.11. Affected by this vulnerability is the function data_hash of the component Cache Handler. This manipulation causes denial of service. The attack is restricted to local execution. A high degree of complexity is needed for the attack. The exploitation appears to be difficult. The exploit has been publicly disclosed and may be utilized. The pull request to fix this issue awaits acceptance.
Source: NVD
References
- [NVD]https://nvd.nist.gov/vuln/detail/CVE-2026-10775
- [Other]https://github.com/sgl-project/sglang/
- [Other]https://github.com/sgl-project/sglang/issues/25462
- [Patch]https://github.com/sgl-project/sglang/pull/22033
- [Other]https://vuldb.com/cve/CVE-2026-10775
- [Other]https://vuldb.com/submit/831438
- [Other]https://vuldb.com/vuln/368138
- [Other]https://vuldb.com/vuln/368138/cti
- [Patch]https://github.com/sgl-project/sglang/pull/22033
- [Other]https://vuldb.com/submit/831438
Related CVEs
Same vendor
- CVE-2026-7304 — SGLangs multimodal generation runtime is vulnerable to unauthenticated remote code execution when the --enable-custom-logit-processor opt... (9.8 CRITICAL)
- CVE-2026-7302 — SGLangs multimodal generation runtime is vulnerable to an unauthenticated path traversal vulnerability, allowing an attacker to write arb... (9.1 CRITICAL)
- CVE-2026-7301 — SGLangs multimodal generation runtime scheduler's ROUTER socket binds to 0.0.0.0 by default and contains a sink that calls pickle.loads()... (9.8 CRITICAL)
- CVE-2026-5760 — SGLang's reranking endpoint (/v1/rerank) achieves Remote Code Execution (RCE) when a model file containing a malcious tokenizer.chat_temp... (9.8 CRITICAL)
Same CWE
- CVE-2026-47213 — Boxlite is a sandbox service that allows users to create lightweight virtual machines (Boxes) and launch OCI containers within them to ru... (6.5 MEDIUM)
- CVE-2026-11312 — A vulnerability was found in bytedance InfiniStore up to 0.2.33 (3.3 LOW)
- CVE-2026-10802 — A vulnerability was detected in keystonejs keystone up to 20260319 (4.3 MEDIUM)
- CVE-2026-10705 — A flaw has been found in dask up to 3.0 (3.1 LOW)
- CVE-2026-10650 — A flaw has been found in warmcat libwebsockets up to 4.5.8 (5.3 MEDIUM)