CVE-2026-7302
CriticalSummary
SGLangs multimodal generation runtime is vulnerable to an unauthenticated path traversal vulnerability, allowing an attacker to write arbitrary files anywhere the server process has write access by including ../ sequences in the upload filename when sent to specific endpoints.
Risk Assessment
This vulnerability could lead to unauthorized access to the server's file system, posing a risk of data leakage or malware.
Recommendation
It is recommended to implement filename validation and restrict access to endpoints to prevent exploitation of this vulnerability.
Original NVD description (English source)
SGLangs multimodal generation runtime is vulnerable to an unauthenticated path traversal vulnerability, allowing an attacker to write arbitrary files anywhere the server process has write access, by including ../ sequences in the upload filename when sent to specific endpoints.

