A critical vulnerability in SGLang, tracked as CVE-2026-5760 with a CVSS of 9.8, could allow remote code execution on affected systems. According to CERT/CC, the flaw resides in the reranking endpoint /v1/rerank, where an attacker can load a specially crafted GPT Generated Unified Format (GGUF) model file to run arbitrary Python code on the server.
The exploit hinges on a malicious tokenizer.chat_template containing a Jinja2 SSTI payload, which is rendered when a request hits the endpoint, enabling RCE in the SGLang service. Security researchers note that the underlying issue stems from using jinja2[.]Environment() without sandboxing, rather than ImmutableSandboxedEnvironment, a finding reported by CERT/CC.
The advisory also outlines a sequence of steps—from creating the GGUF file and triggering the vulnerable path to loading the model from sources such as Hugging Face—that culminates in code execution on the server. CERT/CC recommends switching to ImmutableSandboxedEnvironment to render templates, and notes that no patch was obtained during coordination. The article also mentions SGLang’s open-source status, with the GitHub project forked over 5,500 times and 26,100 stars.