{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-5760", "assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b", "state": "PUBLISHED", "assignerShortName": "certcc", "dateReserved": "2026-04-07T18:02:12.417Z", "datePublished": "2026-04-20T13:46:23.603Z", "dateUpdated": "2026-04-29T13:23:42.103Z"}, "containers": {"cna": {"title": "CVE-2026-5760", "descriptions": [{"lang": "en", "value": "SGLang's reranking endpoint (/v1/rerank) achieves Remote Code Execution (RCE) when a model file containing a malcious tokenizer.chat_template is loaded, as the Jinja2 chat templates are rendered using an unsandboxed jinja2.Environment()."}], "source": {"discovery": "UNKNOWN"}, "affected": [{"vendor": "SGLang", "product": "SGLang", "versions": [{"status": "affected", "version": "8f3097e"}]}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-94: Improper Control of Generation of Code ('Code Injection')"}]}], "references": [{"url": "https://github.com/Stuub/SGLang-0.5.9-RCE"}, {"url": "https://github.com/sgl-project/sglang/pull/23660"}], "x_generator": {"engine": "VINCE 3.0.36", "env": "prod", "origin": "https://cveawg.mitre.org/api/cve/CVE-2026-5760"}, "providerMetadata": {"orgId": "37e5125f-f79b-445b-8fad-9564f167944b", "shortName": "certcc", "dateUpdated": "2026-04-29T13:23:42.103Z"}}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-94", "lang": "en", "description": "CWE-94 Improper Control of Generation of Code ('Code Injection')"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-04-20T14:20:49.607107Z", "id": "CVE-2026-5760", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-20T14:22:12.163Z"}}, {"title": "CVE Program Container", "references": [{"url": "https://www.kb.cert.org/vuls/id/915947"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2026-04-20T15:29:54.098Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://www.kb.cert.org/vuls/id/915947"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2026-04-20T15:29:54.098Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-5760", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-20T14:20:49.607107Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-94", "description": "CWE-94 Improper Control of Generation of Code ('Code Injection')"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-20T14:19:11.393Z"}}], "cna": {"title": "CVE-2026-5760", "source": {"discovery": "UNKNOWN"}, "affected": [{"vendor": "SGLang", "product": "SGLang", "versions": [{"status": "affected", "version": "8f3097e"}]}], "references": [{"url": "https://github.com/Stuub/SGLang-0.5.9-RCE"}, {"url": "https://github.com/sgl-project/sglang/pull/23660"}], "x_generator": {"env": "prod", "engine": "VINCE 3.0.36", "origin": "https://cveawg.mitre.org/api/cve/CVE-2026-5760"}, "descriptions": [{"lang": "en", "value": "SGLang's reranking endpoint (/v1/rerank) achieves Remote Code Execution (RCE) when a model file containing a malcious tokenizer.chat_template is loaded, as the Jinja2 chat templates are rendered using an unsandboxed jinja2.Environment()."}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-94: Improper Control of Generation of Code ('Code Injection')"}]}], "providerMetadata": {"orgId": "37e5125f-f79b-445b-8fad-9564f167944b", "shortName": "certcc", "dateUpdated": "2026-04-29T13:23:42.103Z"}}}, "cveMetadata": {"cveId": "CVE-2026-5760", "state": "PUBLISHED", "dateUpdated": "2026-04-29T13:23:42.103Z", "dateReserved": "2026-04-07T18:02:12.417Z", "assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b", "datePublished": "2026-04-20T13:46:23.603Z", "assignerShortName": "certcc"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "SGLang's reranking endpoint (/v1/rerank) achieves Remote Code Execution (RCE) when a model file containing a malcious tokenizer.chat_template is loaded, as the Jinja2 chat templates are rendered using an unsandboxed jinja2.Environment()."}], "id": "CVE-2026-5760", "lastModified": "2026-04-29T14:16:19.920", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-04-20T14:16:21.680", "references": [{"source": "cret@cert.org", "url": "https://github.com/Stuub/SGLang-0.5.9-RCE"}, {"source": "cret@cert.org", "url": "https://github.com/sgl-project/sglang/pull/23660"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://www.kb.cert.org/vuls/id/915947"}], "sourceIdentifier": "cret@cert.org", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-94"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "0.59"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "SGLang", "source": "cna", "vendor": "SGLang"}, "product": "sglang", "vendor": "sglang"}], "analysis": {"en": {"generated_at": "2026-04-20T17:23:01.340168+00:00", "value": {"mitigation_remediation": ["Disable or restrict the /v1/rerank endpoint to trusted users only.", "Validate or strip the tokenizer.chat_template field from uploaded model files before loading them into the service.", "Upgrade SGLang to a newer release that applies a sandboxed Jinja2 environment or otherwise sanitizes templates. If a patch is not yet available, consider protecting the application behind a reverse proxy that blocks untrusted model uploads.", "Monitor system logs for suspicious Jinja template rendering attempts and failing authentication attempts to the rerank endpoint."], "summary": {"action": "Immediate Mitigation", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the SGLang application, specifically the reranking endpoint /v1/rerank. No specific version numbers are provided, but the issue exists in the current release used at the time of the report. The product is identified as SGLang:SGLang by the CNA. Administrators should check any instance of SGLang exposing the rerank API for potential exploitation.", "description_and_impact": "SGLang's /v1/rerank API loads a model file that may contain a malicious tokenizer.chat_template. During rendering, the library invokes Jinja2 without sandboxing, allowing the template code to execute as part of the service. This flaw permits an attacker who can supply a crafted model file to execute arbitrary code on the host running SGLang, leading to full system compromise. The weakness originates from unsanitized template execution and is related to CWE-94.", "risk_and_exploitability": "The CVSS score is 9.8, and the EPSS score is unavailable, but the presence of RCE implies a high severity risk. The attack requires delivery of a malicious tokenizer.chat_template via a model file that the SGLang service processes. While the exact privilege level needed to upload the model is not detailed, it is inferred that an adversary with sufficient write access to the model storage can trigger the flaw. The vulnerability is not listed in the CISA KEV catalog, but its exploitability, combined with the lack of sandboxing, suggests that it could be leveraged by attackers with network access to the affected service."}}}}, "created": "2026-04-20T15:30:06.046825+00:00", "title": "SGLang Reranking Endpoint Allows RCE via Unsandboxed Jinja2 Template Rendering", "updated": "2026-04-20T17:30:12.652596+00:00", "vendors": ["sglang", "sglang$PRODUCT$sglang"]}