CVE-2026-7304
CriticalSummary
SGLangs multimodal generation runtime is vulnerable to unauthenticated remote code execution when the --enable-custom-logit-processor option is enabled. Python objects loaded via dill.loads() will be deserialized without validation.
Risk Assessment
Exploitation of this vulnerability could lead to remote execution of malicious code, posing a serious threat to the security of the system and the organization's data.
Recommendation
It is recommended to disable the --enable-custom-logit-processor option and conduct a code audit to identify and eliminate potential threats.
Original NVD description (English source)
SGLangs multimodal generation runtime is vulnerable to unauthenticated remote code execution when the --enable-custom-logit-processor option is enabled, as Python objects loaded via dill.loads() will be deserialized without validation.

