What is CVE-2026-7669?

CVE-2026-7669 is a medium-severity vulnerability in Sgl-project Sglang, classified under Improper Neutralization of Special Elements in Output Used by a Downstream Component (Injection). CVSS score: 5.6/10. Published 2026-05-02.

How severe is CVE-2026-7669?

Medium severity. CVSS v3 base score is 5.6 out of 10.

Is CVE-2026-7669 known to be exploited?

1 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.

RCE in Sgl-project Sglang

CVE-2026-7669

A vulnerability was detected in sgl-project SGLang up to 0.5.9. Impacted is the function get_tokenizer of the file python/sglang/srt/utils/hf_transformers_utils.py of the component HuggingFace Transformer Handler. The manipulation of the a…

EPSS: 0.000 (5.4th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 5.6 (Medium). Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L.

Affected products

Sgl-project Sglang — versions 0.5.0, 0.5.1, 0.5.2

Weakness classification (CWE)

Public proof-of-concept exploits

gouldnicholas/CVE-2026-7669-PoC

References

cna@vuldb.com (exploit)
Submit #799263 | sgl-project sglang <=0.5.9 Protection Mechanism Failure (third-party-advisory)
VDB-360817 | sgl-project SGLang HuggingFace Transformer hf_transformers_utils.py get_tokenizer code injection (technical-description, exploit, vdb-entry)
VDB-360817 | CTI Indicators (IOB, IOC, TTP, IOA) (signature, permissions-required)

Frequently asked questions

What is CVE-2026-7669?: CVE-2026-7669 is a medium-severity vulnerability in Sgl-project Sglang, classified under Improper Neutralization of Special Elements in Output Used by a Downstream Component (Injection). CVSS score: 5.6/10. Published 2026-05-02.
How severe is CVE-2026-7669?: Medium severity. CVSS v3 base score is 5.6 out of 10.
Is CVE-2026-7669 known to be exploited?: 1 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.