Home / Vulnerability Intelligence / CVE-2026-3059

CVE-2026-3059 - Vulnerability Analysis

CriticalCVSS: 9.8

Last Updated: March 12, 2026

SGLang multimodal generation module - Remote Code Execution

Published: March 12, 2026Updated: March 12, 2026Remote Exploitable

Overview

SGLang multimodal generation module contains a remote code execution caused by unauthenticated deserialization of untrusted data using pickle.loads() in ZMQ broker, letting unauthenticated attackers execute arbitrary code remotely.

Severity & Score

Severity: Critical

CVSS Score: 9.8

EPSS Score: 53.6%(Probability of exploitation in next 30 days)

Impact

Unauthenticated attackers can execute arbitrary code remotely, potentially leading to full system compromise.

Mitigation

Update to the latest version with secure deserialization or apply patches to authenticate data before deserialization.

References

Social Media Activity(1 post)

TheHackerWire

@thehackerwire

Mar 12, 2026

🔴 CVE-2026-3059 - Critical (9.8) SGLang's multimodal generation module is vulnerable to unauthenticated remote code execution through the ZMQ broker, which deserializes untrusted data using pickle.loads() without authentication. 🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-3059/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

View original post

Related Resources

Details

CVE ID: CVE-2026-3059
Severity: Critical
CVSS Score: 9.8
Type: insecure_deserialization
Status: unconfirmed
EPSS: 53.6%
Social Posts: 1

CWE

CWE-502

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score

53.6%Probability of exploitation in the next 30 days