VU#915947: SGLang is vulnerabl... Note

VU#915947: SGLang is vulnerable to remote code execution when rendering chat templates from a model file

A remote code execution vulnerability, CVE-2026-5760, has been found in the SGLang project's reranking endpoint. Attackers can exploit this by creating a malicious model with a specially crafted tokenizer.chat_template parameter. This parameter contains a Jinja2 server-side template injection payload. When SGLang loads this model and the reranking endpoint is accessed, the malicious template renders. This triggers the execution of arbitrary Python code on the server. The vulnerability stems from the use of jinja2.Environment() without proper sandboxing. Successful exploitation allows attackers to execute code as the SGLang service. This could lead to host compromise, data theft, or denial-of-service. Deployments exposing the endpoint to untrusted networks are most at risk. The recommended solution involves using ImmutableSandboxedEnvironment for rendering chat templates instead of the vulnerable jinja2.Environment(). Project maintainers did not respond to coordination efforts for a patch.