CVE-2026-10300
Remote Assertion Failure in SGLang via Inference HTTP Endpoint
Publication date: 2026-06-01
Last updated on: 2026-06-01
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-617 | The product contains an assert() or similar statement that can be triggered by an attacker, which leads to an application exit or other behavior that is more severe than necessary. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in SGLang version 0.5.10.post1, specifically in an unknown function within the file python/sglang/srt/lora/lora_manager.py, part of the Inference HTTP Endpoint component.
The issue arises from manipulation of the argument 'lora_path', which leads to a reachable assertion, meaning the program can be forced into an unexpected state or crash.
The attack exploiting this vulnerability can be launched remotely, but it requires a high level of complexity and is considered difficult to exploit.
A fix has been proposed via a pull request but has not yet been accepted.
How can this vulnerability impact me? :
Exploitation of this vulnerability can cause the affected software to reach an assertion failure, potentially leading to a crash or denial of service.
Since the attack can be launched remotely, it could disrupt the availability of the Inference HTTP Endpoint component.
However, the exploitability is difficult due to the high complexity required to successfully carry out the attack.