How serious is CVE-2026-3059?

This vulnerability has a CVSS score of 9.8 out of 10, classified as CRITICAL severity. Proof-of-concept exploit code is publicly available, making this an active threat.

Is there exploit code available for CVE-2026-3059?

Yes, proof-of-concept exploit code for CVE-2026-3059 is publicly available on GitHub and security research platforms. This increases the risk of active exploitation.

Which products are affected by CVE-2026-3059?

CVE-2026-3059 affects lmsys sglang. Check the full CVE details for specific version information.

How do I fix CVE-2026-3059?

To remediate CVE-2026-3059, check for security patches from lmsys. Apply all available updates and security patches. If no patch is available, implement recommended workarounds or security controls to mitigate the risk.

CVE-2026-3059

Critical

|9.8

Exploit Available

Plain English Summary

AI-powered analysis for quick understanding

This vulnerability allows an attacker to run any code they want on the affected system remotely, without needing to log in. It occurs because the system processes untrusted data in a way that can be exploited, specifically through a messaging service that doesn't check if the data is safe.

Technical Description

SGLang's multimodal generation module is vulnerable to unauthenticated remote code execution through the ZMQ broker, which deserializes untrusted data using pickle.loads() without authentication.

CVSS Vector Analysis

Attack VectorNetwork

Attack ComplexityLow

Privileges RequiredNone

User InteractionNone

Confidentiality ImpactHigh

Integrity ImpactHigh

Availability ImpactHigh

ScopeUnchanged

Vector String

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Exploit Resources

Search for proof-of-concept code and exploit modules

GitHub Search Exploit-DB Nuclei Templates Metasploit Vulners

Official References

NIST NVD

Est. Bounty

$13,000($5K-$15K)

Vendor Response

Grade APatched in 5 days

Quick Information

Published

Mar 12, 2026

26 days ago

Last Modified

Mar 17, 2026

21 days ago

Vendor

lmsys

Product

sglang

Related Vulnerabilities

CVE-2026-3060Critical

This vulnerability allows an attacker to run arbitrary code on a vulnerable system remotely without needing to log in. It occurs because the system improperly processes untrusted data, which can be exploited if an attacker sends specially crafted input to the disaggregation module.