CVE-2026-3989
Published
CVSS v3
7.8
HIGH
CVSS v2
N/A
Affected
1
PROJECT
Description
SGLangs `replay_request_dump.py` contains an insecure pickle.load() without validation and proper deserialization. An attacker can take advantage of this by providing a malicious .pkl file, which will execute the attackers code on the device running the script.
SGLang is a high-performance serving framework for large language models and multimodal models.
GitHub