sgl-project SGLang HuggingFace Transformer hf_transformers_utils.py get_tokenizer deserialization_CVE-2026-7669

6.3 / 10

MEDIUM

CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X

Description

A vulnerability was detected in sgl-project SGLang up to 0.5.9. Impacted is the function get_tokenizer of the file python/sglang/srt/utils/hf_transformers_utils.py of the component HuggingFace Transformer Handler. The manipulation results in deserialization. The attack can be executed remotely. A high complexity level is associated with this attack. The exploitability is considered difficult. The vendor was contacted early about this disclosure but did not respond in any way.

Basic Information

ID CVE-2026-7669

Source VulDB

Published May 2, 2026 at 22:00

Affected Product

Vendor sgl-project

Product SGLang

Version 0.5.0

Affected Versions sgl-project SGLang 0.5.0
sgl-project SGLang 0.5.1
sgl-project SGLang 0.5.2
sgl-project SGLang 0.5.3
sgl-project SGLang 0.5.4
sgl-project SGLang 0.5.5
sgl-project SGLang 0.5.6
sgl-project SGLang 0.5.7
sgl-project SGLang 0.5.8
sgl-project SGLang 0.5.9

CWE Classification

CWE-502 CWE-20

References

{
    "lastseen": "",
    "description": "A vulnerability was detected in sgl-project SGLang up to 0.5.9. Impacted is the function get_tokenizer of the file python/sglang/srt/utils/hf_transformers_utils.py of the component HuggingFace Transformer Handler. The manipulation results in deserialization. The attack can be executed remotely. A high complexity level is associated with this attack. The exploitability is considered difficult. The vendor was contacted early about this disclosure but did not respond in any way.",
    "published": "2026-05-02T22:00:19.859Z",
    "modified": "2026-05-02T22:00:19.859Z",
    "type": "cve",
    "title": "sgl-project SGLang HuggingFace Transformer hf_transformers_utils.py get_tokenizer deserialization",
    "source": "VulDB",
    "references": "https://vuldb.com/vuln/360817\nhttps://vuldb.com/vuln/360817/cti\nhttps://vuldb.com/submit/799263",
    "id": "CVE-2026-7669",
    "bulletinFamily": "",
    "cwe": [
        "CWE-502",
        "CWE-20"
    ],
    "cvelist": null,
    "sourceData": "sgl-project SGLang 0.5.0\nsgl-project SGLang 0.5.1\nsgl-project SGLang 0.5.2\nsgl-project SGLang 0.5.3\nsgl-project SGLang 0.5.4\nsgl-project SGLang 0.5.5\nsgl-project SGLang 0.5.6\nsgl-project SGLang 0.5.7\nsgl-project SGLang 0.5.8\nsgl-project SGLang 0.5.9",
    "sourceHref": "",
    "cvss": {
        "score": 6.3,
        "severity": "MEDIUM",
        "vector": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "SGLang",
    "version": "0.5.0",
    "vendor": "sgl-project",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}