Model Files Can Enable RCE

A model file can now be the attack: a newly disclosed SGLang flaw lets a malicious GGUF file run code on an inference server. (nvd.nist.gov) SGLang is software for serving large language models, and GGUF is a packaged model format that can carry weights plus metadata such as chat templates. In this case, the vulnerable path is SGLang’s `/v1/rerank` endpoint, where the service reads a model-supplied `tokenizer.chat_template`. (github.com) (nvd.nist.gov) The bug is tracked as CVE-2026-5760 and scored 9.8 out of 10 under CVSS 3.1 by CISA’s Authorized Data Publisher entry in the National Vulnerability Database. The CVE record was published on April 20, 2026. (nvd.nist.gov) The underlying mistake is simple: SGLang renders those templates with Jinja2, a text templating engine, using an unsandboxed `jinja2.Environment` instead of a restricted sandbox. CERT/CC said that lets a crafted template execute arbitrary Python code when `/v1/rerank` is called. (kb.cert.org) A public proof of concept shows the attack chain in concrete steps: plant a malicious `tokenizer.chat_template` inside a GGUF file, load that model into SGLang, then trigger the vulnerable code path with a rerank request. The proof of concept says it was demonstrated against SGLang 0.5.9. (github.com) The exploit repository says the payload uses a server-side template injection trick to break out of the template context and call operating-system commands. It also says the malicious template includes a phrase that steers requests into SGLang’s Qwen3 reranker path. (github.com) CERT/CC warned that successful exploitation could lead to host compromise, lateral movement, data exfiltration, or denial of service, especially when affected interfaces are exposed to untrusted networks. Its advisory also said it received no response from project maintainers during coordination. (kb.cert.org) The disclosure lands after other SGLang code-execution bugs surfaced in 2025 and 2026, including CVE-2025-10164, CVE-2026-3059, and CVE-2026-3060 in separate components. Those earlier advisories also centered on unsafe handling of untrusted input inside model-serving stacks. (github.com 1) (github.com 2) (github.com 3) The immediate fix recommended by CERT/CC is to render chat templates with `ImmutableSandboxedEnvironment` instead of the default Jinja2 environment. Until patches and hardening catch up, the safest reading is that a downloaded model file belongs in the same trust category as any other untrusted executable. (kb.cert.org)