CVE-2026-7302 is an unauthenticated path traversal issue reported for SGLang’s multimodal generation runtime. The flaw can let an attacker place files outside the intended upload path by using ../ sequences in an upload filename, potentially writing anywhere the server process has permission to write. Because the issue is unauthenticated and impacts file integrity on the host, it deserves prompt review ev [truncated]
SGLang's multimodal generation runtime scheduler exposes a ROUTER socket that binds to 0.0.0.0 by default and deserializes incoming messages using pickle.loads(), enabling unauthenticated remote code execution when the service is internet-facing. The vulnerability stems from unsafe deserialization (CWE-502) combined with a permissive network binding, allowing attackers to send crafted pickle payloads that [truncated]