CVE Catalog

CVE-2026-7302

Critical
Published: Translated: NVD NIST

Summary

SGLangs multimodal generation runtime is vulnerable to an unauthenticated path traversal vulnerability, allowing an attacker to write arbitrary files anywhere the server process has write access by including ../ sequences in the upload filename when sent to specific endpoints.

Risk Assessment

This vulnerability could lead to unauthorized access to the server's file system, posing a risk of data leakage or malware.

Recommendation

It is recommended to implement filename validation and restrict access to endpoints to prevent exploitation of this vulnerability.

Original NVD description (English source)

SGLangs multimodal generation runtime is vulnerable to an unauthenticated path traversal vulnerability, allowing an attacker to write arbitrary files anywhere the server process has write access, by including ../ sequences in the upload filename when sent to specific endpoints.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS