VYPR
Critical severity9.8NVD Advisory· Published May 18, 2026· Updated May 19, 2026

CVE-2026-7301

CVE-2026-7301

Description

SGLangs multimodal generation runtime scheduler's ROUTER socket binds to 0.0.0.0 by default and contains a sink that calls pickle.loads() on incoming messages, enabling RCE when exposed to the internet.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
sglangPyPI
>= 0.5.5, <= 0.5.12

Affected products

1

Patches

Vulnerability mechanics

References

5

News mentions

1