CVE-2026-7302

Critical

Published: 18 May 2026

Published

18 May 2026

Modified

19 May 2026

KEV Added

—

Patch

—

CVSS Score 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

EPSS Score 0.0008 22.5th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-7302 is a critical-severity Path Traversal: '.../...//' (CWE-35) vulnerability in Lmsys Sglang. Its CVSS base score is 9.1 (Critical).

Operationally, ranked at the 22.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

NVD Description

SGLangs multimodal generation runtime is vulnerable to an unauthenticated path traversal vulnerability, allowing an attacker to write arbitrary files anywhere the server process has write access, by including ../ sequences in the upload filename when sent to specific endpoints.

Deeper analysisAI

Automated synthesis unavailable for this CVE.

Details

CWE(s): CWE-35

Affected Products

lmsys

sglang

0.5.10

References

https://antiproof.ai/blog/three-rces-in-sglang/
Permissions Required · cret@cert.org
https://github.com/sgl-project/sglang/tree/main/python/sglang
Product · cret@cert.org