Blog Home>VU#777338: SGLang contains two remote code execution and one path traversal vulnerability

HIGH • SecOpsAI Intelligence

VU#777338: SGLang contains two remote code execution and one path traversal vulnerability

Overview Three vulnerabilities have been discovered in the SGLang project, two enabling remote code execution (RCE), and one regarding a path traversal vulnerability. In order for an attacker to exploit these vulnerabilities, the multimodal generation mode must be enabled, and an attacker must have network access to the SGLang service. No patch is available at this time, and no response was obtained from the project maintainers during coordination. Description SGLang is an open-source framework

High By CERT/CC Vulnerability Notes 1 min read Published: 2026-05-18 Updated: 2026-05-20
Security News Threat Intelligence CERT/CC Vulnerability RCE

Source Metadata

  • Source: CERT/CC Vulnerability Notes
  • Canonical URL: https://kb.cert.org/vuls/id/777338
  • Additional references: none
  • Published at: 2026-05-18T10:40:34.061443+00:00
  • Fetched at: 2026-05-19T15:04:34Z
  • Trust level: government

Why It Matters

  • Source type: Threat Intelligence
  • Severity hint: high (Remote code execution signal.)
  • Extracted signals: RCE

What SecOpsAI Can Detect

SecOpsAI can track affected product names, related CVEs, local SOC findings, advisory matches, and OpenClaw telemetry that mention this vulnerability or impacted component.

Extracted Intelligence

CVEs

  • None found deterministically; reviewer should confirm source details.

Affected Packages Or Products

  • None found deterministically; reviewer should add source-backed affected assets if present.

IOCs

  • None found deterministically; reviewer should add source-backed indicators if present.

Recommended Actions

  • Inventory affected product or component names from the source.
  • Check whether exposed systems, dependencies, or services use the affected component.
  • Prioritize vendor mitigation or patch guidance and record the remediation deadline.
  • Add monitoring terms for extracted CVEs and product names.

Operator Commands

secopsai triage summary
secopsai research preflight
secopsai supply-chain advisory list
secopsai blog news-review show news-8ea7731c8c8e06da-vu-777338-sglang-contains-two-remote-code-execution-and-one-path-tra

References

Comments

Comments are moderated before publication. Do not post secrets, tokens, customer data, or exploit payloads.