PatchSiren

ModelTC CVE debriefs

These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.

CRITICAL ModelTC CVE published 2026-02-17

CVE-2026-26220

CVE-2026-26220 is a critical vulnerability in LightLLM version 1.1.0 and prior. The vulnerability allows unauthenticated remote code execution in PD disaggregation mode. The PD master node exposes WebSocket endpoints that receive binary frames and pass the data directly to pickle.loads() without authentication or validation. A remote attacker who can reach the PD master can send a crafted payload to achie [truncated]