Home / Vulnerability Intelligence / CVE-2026-3060

CVE-2026-3060 - Vulnerability Analysis

CriticalCVSS: 9.8

Last Updated: March 12, 2026

SGLang encoder parallel disaggregation system - Remote Code Execution

Published: March 12, 2026Updated: March 12, 2026Remote Exploitable

Overview

SGLang encoder parallel disaggregation system contains an insecure deserialization vulnerability caused by unauthenticated use of pickle.loads() in the disaggregation module, letting remote attackers execute arbitrary code without authentication.

Severity & Score

Severity: Critical

CVSS Score: 9.8

EPSS Score: 55.4%(Probability of exploitation in next 30 days)

Impact

Remote attackers can execute arbitrary code without authentication, potentially leading to full system compromise.

Mitigation

Update to the latest version with secure deserialization or apply patches to validate input before deserialization.

References

Social Media Activity(1 post)

TheHackerWire

@thehackerwire

Mar 12, 2026

🔴 CVE-2026-3060 - Critical (9.8) SGLang' encoder parallel disaggregation system is vulnerable to unauthenticated remote code execution through the disaggregation module, which deserializes untrusted data using pickle.loads() without authentication. 🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-3060/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

View original post

Related Resources

Details

CVE ID: CVE-2026-3060
Severity: Critical
CVSS Score: 9.8
Type: insecure_deserialization
Status: unconfirmed
EPSS: 55.4%
Social Posts: 1

CWE

CWE-502

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score

55.4%Probability of exploitation in the next 30 days