CRITICAL
Lmsys
CVE published 2026-05-18
CVE-2026-7304
CVE-2026-7304 is a critical unauthenticated remote code execution issue in the SGLang multimodal generation runtime, published on 2026-05-18 and updated on 2026-05-19. The risk appears when `--enable-custom-logit-processor` is enabled: Python objects are deserialized through `dill.loads()` without validation, which NVD maps to CWE-502 and rates at CVSS 9.8 (AV:N/AC:L/PR:N/UI:N/C:H/I:H/A:H).