CVE Catalog

CVE-2026-7304

Critical
Published: Translated: NVD NIST

Summary

SGLangs multimodal generation runtime is vulnerable to unauthenticated remote code execution when the --enable-custom-logit-processor option is enabled. Python objects loaded via dill.loads() will be deserialized without validation.

Risk Assessment

Exploitation of this vulnerability could lead to remote execution of malicious code, posing a serious threat to the security of the system and the organization's data.

Recommendation

It is recommended to disable the --enable-custom-logit-processor option and conduct a code audit to identify and eliminate potential threats.

Original NVD description (English source)

SGLangs multimodal generation runtime is vulnerable to unauthenticated remote code execution when the --enable-custom-logit-processor option is enabled, as Python objects loaded via dill.loads() will be deserialized without validation.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS