MEDIUM SeverityCVSS 4.06.3CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X
CVE-2026-7669
Last updated May 02, 2026 · Published May 02, 2026
Description
A vulnerability was detected in sgl-project SGLang up to 0.5.9. Impacted is the function get_tokenizer of the file python/sglang/srt/utils/hf_transformers_utils.py of the component HuggingFace Transformer Handler. The manipulation results in deserialization. The attack can be executed remotely. A high complexity level is associated with this attack. The exploitability is considered difficult. The vendor was contacted early about this disclosure but did not respond in any way.
Affected products
1 listed- sgl-project:SGLang
Mappings
CWE
CWE-20CWE-502
CAPEC
None listed.
Related
Training
- Input Validation and Schema EnforcementValidate early, validate strictly - schemas, allowlists, and type-safe boundaries.
- Injection TodaySQL, NoSQL, ORM, and LLM injection - what's changed and what hasn't.
- Secure Defaults in Modern FrameworksHow Rails, Next.js, Django, and Spring protect you - and where they don't.
CVE® content © MITRE Corporation. Licensed under the CVE Terms of Use. Terms