Critical severity9.8NVD Advisory· Published May 18, 2026· Updated May 19, 2026
CVE-2026-7304
CVE-2026-7304
Description
SGLangs multimodal generation runtime is vulnerable to unauthenticated remote code execution when the --enable-custom-logit-processor option is enabled, as Python objects loaded via dill.loads() will be deserialized without validation.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
sglangPyPI | >= 0.4.1.post7, <= 0.5.12 | — |
Affected products
2(expand)+ 1 more
- (no CPE)
- (no CPE)
Patches
Vulnerability mechanics
References
5- github.com/advisories/GHSA-36m8-w8qf-g76pghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-7304ghsaADVISORY
- antiproof.ai/blog/three-rces-in-sglangghsaWEB
- antiproof.ai/blog/three-rces-in-sglang/nvdPermissions Required
- github.com/sgl-project/sglang/tree/main/python/sglangnvdProductWEB
News mentions
1- ⚡ Weekly Recap: Linux Flaws, Defender 0-Days, Router Botnets, and Supply Chain ChaosThe Hacker News · May 25, 2026