CVE-2026-3989

HIGH 7.8

CVE-2026-3989

CVSS Score

7.8

EPSS Score

0.0%

EPSS Percentile

3th

SGLangs `replay_request_dump.py` contains an insecure pickle.load() without validation and proper deserialization. An attacker can take advantage of this by providing a malicious .pkl file, which will execute the attackers code on the device running the script.

Vendor	sglang
Product	sglang
Published	Mar 12, 2026
Last Updated	Apr 7, 2026

Stay Ahead of the Next One

Get instant alerts for sglang sglang

Be the first to know when new high vulnerabilities affecting sglang sglang are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

SGLang / SGLang

0.5.10

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/sgl-project/sglang/blob/main/scripts/playground/replay_request_dump.py orca.security: https://orca.security/resources/blog/sglang-llm-framework-rce-vulnerabilities/ github.com: https://github.com/sgl-project/sglang/releases/tag/v0.5.10 github.com: https://github.com/sgl-project/sglang/pull/20904