Critical severity9.8NVD Advisory· Published Apr 20, 2026· Updated Jun 3, 2026
CVE-2026-5760
CVE-2026-5760
Description
SGLang's reranking endpoint (/v1/rerank) achieves Remote Code Execution (RCE) when a model file containing a malcious tokenizer.chat_template is loaded, as the Jinja2 chat templates are rendered using an unsandboxed jinja2.Environment().
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
4(expand)+ 1 more
- (no CPE)
- (no CPE)
- Range: 0.5.9
Patches
Vulnerability mechanics
References
2- github.com/sgl-project/sglang/pull/23660nvdIssue TrackingPatch
- www.kb.cert.org/vuls/id/915947nvdThird Party Advisory
News mentions
1- ⚡ Weekly Recap: Fast16 Malware, XChat Launch, Federal Backdoor, AI Employee Tracking & MoreThe Hacker News · Apr 27, 2026