← back
CVE-2026-7302

CVE-2026-7302

CVSS 9.1 CRITICALEPSS 0.4%CWE-35
Vexday Risk Score
28Low
SSVC decision (CISA)
Track
No exploitation signal → monitor
CVSS 9.1EPSS 0.4%KEV nãoPoC Nuclei Metasploit Patch
Lifecycle
18 May 2026Published on NVD
Recommendation: Monitor — no exploitation signal at the moment.
SGLangs multimodal generation runtime is vulnerable to an unauthenticated path traversal vulnerability, allowing an attacker to write arbitrary files anywhere the server process has write access, by including ../ sequences in the upload filename when sent to specific endpoints.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
Affected products
SGLang · SGLang

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://antiproof.ai/blog/three-rces-in-sglang/https://github.com/sgl-project/sglang/tree/main/python/sglang