top of page
perceptive_background_267k.jpg

SGLang's multimodal generation module is vulnerable to unauthenticated remote code execution through the ZMQ broker, which deserializes untrusted data using pic…

Published:

11 March 2026 at 23:00:00

Alert date:

12 March 2026 at 16:03:23

Source:

nvd.nist.gov

Click to open the original link from this advisory

Emerging Technologies, Supply Chain & Dependencies

SGLang's multimodal generation module contains a critical remote code execution vulnerability in the ZMQ broker component. The vulnerability allows unauthenticated attackers to execute arbitrary code by exploiting unsafe deserialization of untrusted data through pickle.loads() without proper authentication checks. This affects the scheduler client component of the SGLang framework's multimodal generation functionality.

Technical details

Mitigation steps:

Affected products:

SGLang

Related links:

https://nvd.nist.gov/vuln/detail/CVE-2026-3059
https://github.com/sgl-project/sglang/blob/main/python/sglang/multimodal_gen/runtime/scheduler_client.py
https://github.com/sgl-project/sglang/security/advisories/GHSA-3cp7-c6q2-94xr
https://orca.security/resources/blog/sglang-llm-framework-rce-vulnerabilities/

Related CVE's:

Related threat actors:

IOC's:

This article was created with the assistance of AI technology by Perceptive.

About us

© 2025 by Perceptive Security. All rights reserved.

email: info@perceptivesecurity.com

Disclaimer: Deze website toont informatie afkomstig van externe bronnen. Perceptive aanvaardt geen verantwoordelijkheid voor de inhoud, juistheid of volledigheid van deze informatie.

bottom of page