SGLang Inference HTTP Endpoint lora_manager.py assertion_CVE-2026-10300

6.3 / 10

MEDIUM

CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P

Description

A security vulnerability has been detected in SGLang 0.5.10.post1. Impacted is an unknown function of the file python/sglang/srt/lora/lora_manager.py of the component Inference HTTP Endpoint. Such manipulation of the argument lora_path leads to reachable assertion. The attack can be launched remotely. A high complexity level is associated with this attack. The exploitability is considered difficult. The exploit has been disclosed publicly and may be used. The pull request to fix this issue awaits acceptance.

Basic Information

ID CVE-2026-10300

Source VulDB

Published Jun 1, 2026 at 23:00

Affected Product

Vendor n/a

Product SGLang

Version 0.5.10.post1

Affected Versions n/a SGLang 0.5.10.post1

CWE Classification

CWE-617

References

{
    "lastseen": "",
    "description": "A security vulnerability has been detected in SGLang 0.5.10.post1. Impacted is an unknown function of the file python/sglang/srt/lora/lora_manager.py of the component Inference HTTP Endpoint. Such manipulation of the argument lora_path leads to reachable assertion. The attack can be launched remotely. A high complexity level is associated with this attack. The exploitability is considered difficult. The exploit has been disclosed publicly and may be used. The pull request to fix this issue awaits acceptance.",
    "published": "2026-06-01T23:00:12.872Z",
    "modified": "2026-06-01T23:00:12.872Z",
    "type": "cve",
    "title": "SGLang Inference HTTP Endpoint lora_manager.py assertion",
    "source": "VulDB",
    "references": "https://vuldb.com/vuln/367593\nhttps://vuldb.com/vuln/367593/cti\nhttps://vuldb.com/cve/CVE-2026-10300\nhttps://vuldb.com/submit/828086\nhttps://github.com/sgl-project/sglang/issues/23141\nhttps://github.com/sgl-project/sglang/pull/25078",
    "id": "CVE-2026-10300",
    "bulletinFamily": "",
    "cwe": [
        "CWE-617"
    ],
    "cvelist": null,
    "sourceData": "n/a SGLang 0.5.10.post1",
    "sourceHref": "",
    "cvss": {
        "score": 6.3,
        "severity": "MEDIUM",
        "vector": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "SGLang",
    "version": "0.5.10.post1",
    "vendor": "n/a",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}