CSIRTS // UNIFIED SECURITY ADVISORY FEEDSYS ● ONLINE · POWERED BY INTELFUSIONS.COM

GHSA-m2jr-x4gq-5rmj: SGLang: Reachable Assertion via lora_path in LoRAManager enables remote Denial of Dervice

lowCVSS 3.7CVE-2026-10300
A security vulnerability has been detected in SGLang 0.5.10.post1. Impacted is an unknown function of the file python/sglang/srt/lora/lora_manager.py of the component Inference HTTP Endpoint. Such manipulation of the argument lora_path leads to reachable assertion. The attack can be launched remotely. A high complexity level is associated with this attack. The exploitability is considered difficult. The exploit has been disclosed publicly and may be used. The pull request to fix this issue awaits acceptance.

Details

Source
GitHub Security Advisories (INTL · database · site)
Severity
low — CVSS 3.7
Published
2026-06-02
Last updated
2026-07-09
Exploitation
Not in CISA KEV at last sync

Original advisory: https://github.com/advisories/GHSA-m2jr-x4gq-5rmj

Exploitation outlook

EPSS (FIRST.org) estimates each CVE’s probability of exploitation in the next 30 days — here is the CSIRTS.com read on those numbers.

Referenced CVEs

CVECSIRTS overviewExternal
CVE-2026-10300coverage & exploitation statusNVD · CVE.org

More from GitHub Security Advisories