Critical severity9.1NVD Advisory· Published May 18, 2026· Updated May 19, 2026
CVE-2026-7302
CVE-2026-7302
Description
SGLangs multimodal generation runtime is vulnerable to an unauthenticated path traversal vulnerability, allowing an attacker to write arbitrary files anywhere the server process has write access, by including ../ sequences in the upload filename when sent to specific endpoints.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
sglangPyPI | >= 0.5.5, <= 0.5.12 | — |
Affected products
1Patches
Vulnerability mechanics
References
5- github.com/advisories/GHSA-qwrp-wghp-94q2ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-7302ghsaADVISORY
- antiproof.ai/blog/three-rces-in-sglangghsaWEB
- antiproof.ai/blog/three-rces-in-sglang/nvdPermissions Required
- github.com/sgl-project/sglang/tree/main/python/sglangnvdProductWEB
News mentions
1- ⚡ Weekly Recap: Linux Flaws, Defender 0-Days, Router Botnets, and Supply Chain ChaosThe Hacker News · May 25, 2026