CVE-2026-7302
9.1 CRITICALSGLangs multimodal generation runtime is vulnerable to an unauthenticated path traversal vulnerability, allowing an attacker to write arb...
Published: 2026-05-18 · Last updated: 2026-05-19
Severity and scoring
- CVSS
- 9.1 CRITICAL
- Vector
- CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
- CWE
- CWE-35
Affected products
| Vendor | Product |
|---|---|
| lmsys | sglang |
Description
SGLangs multimodal generation runtime is vulnerable to an unauthenticated path traversal vulnerability, allowing an attacker to write arbitrary files anywhere the server process has write access, by including ../ sequences in the upload filename when sent to specific endpoints.
Source: NVD
References
Related CVEs
Same vendor
- CVE-2026-7304 — SGLangs multimodal generation runtime is vulnerable to unauthenticated remote code execution when the --enable-custom-logit-processor opt... (9.8 CRITICAL)
- CVE-2026-7301 — SGLangs multimodal generation runtime scheduler's ROUTER socket binds to 0.0.0.0 by default and contains a sink that calls pickle.loads()... (9.8 CRITICAL)
- CVE-2026-5760 — SGLang's reranking endpoint (/v1/rerank) achieves Remote Code Execution (RCE) when a model file containing a malcious tokenizer.chat_temp... (9.8 CRITICAL)
Same CWE
- CVE-2026-40128 — SAP NetWeaver Application Server Java (Web Container) allows an unauthenticated attacker to craft a malicious HTTP logon request that man... (9.0 CRITICAL)
- CVE-2026-24315 — SAP Fiori Launchpad allows attackers to craft malicious URLs that triggers arbitrary service calls on the Fiori domain, this when opened ... (4.2 MEDIUM)
- CVE-2026-45661 — Dokploy is a free, self-hostable Platform as a Service (PaaS) (9.9 CRITICAL)
- CVE-2026-44933 — `PluginScript` attempts to `chroot` the plugin to the `repoManagerRoot`, this root is frequently `/` (the system root) in standard config... (7.8 HIGH)
- CVE-2026-45495 — Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability (8.8 HIGH)