Overview
Radware Alteon has a reflected Cross-Site Scripting (XSS) vulnerability in the parameter ReturnTo of the route /protected/login. This vulnerability allows an attacker to execute JavaScript in the host browser.
Description
CVE-2026-5754: Reflected Cross-Site Scripting (XSS) vulnerability in Radware Alteon 34.5.4.0 vADC load-balancer allows an attacker to inject malicious scripts into the website, potentially leading to unauthorized actions, data theft, or other malicious activities.
A reflected Cross-Site Scripting (XSS) vulnerability exists in the ReturnTo parameter of the /protected/login route in Radware Alteon version 34.5.4.0. The vulnerability arises from the lack of user input sanitization, allowing an attacker to inject malicious scripts. Specifically, when a user requests a resource that redirects to a Microsoft SAML login page, the load-balancer redirects the user to the login page with a ReturnTo parameter that fails to sanitize user input. An attacker can exploit this by injecting a malicious payload in the ReturnTo parameter, which will be executed in the victim’s browser.
An example attack flow is below:

Attacker creates link with XSS payload in ReturnTo parameter.
Victim clicks malicious link, redirecting to login page.
Load-balancer reflects malicious ReturnTo parameter, executing XSS payload.
Attacker performs JavaScript code execution in the victim’s browser.

Impact
The impact of this vulnerability is significant, as it allows an attacker to execute arbitrary JavaScript code in a victim’s browser. Doing so enables a range of harmful activities, including the following: stealing session cookies and sensitive data; performing unauthorized actions on behalf of the victim; tricking users into falling for phishing attacks; and damaging a website’s reputation and user trust.
Solution
Unfortunately, we were unable to reach the vendor to coordinate this vulnerability. The vendor, Radware, has acknowledged the vulnerability in their customer portal and plans to patch it in the next version, 34.5.7.0. This version was expected to be released on March 31st, 2026, based upon the release notes, but it is unclear if this release occurred and included a fix. In the meantime, users are advised to take precautions to prevent exploitation, such as validating and encoding user input.
Acknowledgements
Thanks to the reporter, Loinaz Merino Cerrajeria, for bringing this vulnerability to our attention.This document was written by Timur Snoke.

Overview
Terrarium is a sandbox-based code execution platform that enables users to run and execute code in a controlled environment, providing a secure way to test and validate code. However, a vulnerability has been discovered in Terrarium that allows arbitrary code execution with root privileges on the host Node.js process. This vulnerability is caused by a JavaScript prototype chain traversal in the Pyodide WebAssembly environment.
Description
The root cause of the vulnerability lies in the configuration of jsglobals objects in service.ts. Specifically, the mock document object is created using a standard JavaScript object literal, which inherits properties from Object.prototype. This inheritance chain allows sandbox code to traverse up to the function constructor, create a function that returns globalThis, and from there access Node.js internals, including require(). As a result, an attacker can escape the sandbox and execute arbitrary system commands as root within the container.
CVE-2026-5752
Sandbox Escape Vulnerability in Terrarium allows arbitrary code execution with root privileges on a host process via JavaScript prototype chain traversal.
Impact
Applications that use Terrarium for sandboxed code execution may be compromised, allowing an attacker to:

Execute arbitrary commands as root inside the container
Access and modify sensitive files, including /etc/passwd and environment variables
Reach other services on the container’s network, including databases and internal APIs
Potentially escape the container and escalate privileges further

Mitigation
Unfortunately, we were unable to coordinate with the vendor to obtain a patch or fix for this vulnerability. In the meantime, several mitigation strategies can be employed to reduce the risk of exploitation. Users should consider implementing the following measures:

Disable unnecessary features: Disable any features that allow users to submit code to the sandbox, if possible.
Implement network segmentation: Segment the network to limit the attack surface and prevent lateral movement.
Use a Web Application Firewall (WAF): Deploy a WAF to detect and block suspicious traffic, including attempts to exploit the vulnerability.
Monitor container activity: Regularly monitor container activity for signs of suspicious behavior.
Implement access controls: Limit access to the container and its resources to authorized personnel only.
Use a secure container orchestration tool: Utilize a secure container orchestration tool to manage and secure containers.
Regularly update and patch dependencies: Ensure that dependencies are up-to-date and patched.

Acknowledgments
The vulnerability was discovered by Jeremy Brown, who used AI-assisted vulnerability research to identify the issue. This document was written by Timur Snoke with assistance from AI.

Overview
A remote code execution vulnerability has been discovered in the SGLang project, specifically in the reranking endpoint (/v1/rerank). A CVE has been assigned to track the vulnerability; CVE-2026-5760. An attacker can create a malicious model for SGLang to achieve RCE. Successful exploitation could allow arbitrary code execution in the context of the SGLang service, potentially leading to host compromise, lateral movement, data exfiltration, or denial-of-service (DoS) attacks. No response was obtained from the project maintainers during coordination.
Description
SGLang is an open-source framework for serving large language models (LLMs) and multimodal AI models, supporting models such as Qwen, DeepSeek, Mistral, and Skywork, and is compatible with OpenAI APIs. A vulnerability, tracked as CVE-2026-5760, has been discovered within the reranking endpoints. Using a cross-encoder model, the reranking endpoint reranks documents based on their relevance to a query.
An attacker exploits this vulnerability by creating a malicious GPT Generated Unified Format (GGUF) model file with a crafted tokenizer.chat_template parameter that contains a Jinja2 server-side template injection (SSTI) payload with a trigger phrase to activate the vulnerable code path. A tokenizer.chat_template is a metadata field that defines how text is structured before being processed. The victim then downloads and loads the model in SGLang, and when a request hits the /v1/rerank endpoint, the malicious template is rendered, executing the attacker’s arbitrary Python code on the server. This sequence of events enables the attacker to achieve remote code execution (RCE) on the SGLang server.
The vulnerability arises from the use of jinja2.Environment() without sandboxing in the getjinjaenv() function. This function sets up the environment for rendering Jinja2 templates, but since it lacks proper sandboxing, it fails to restrict the execution of arbitrary Python code. Consequently, when the reranking endpoint is accessed and a malicious model file containing a crafted tokenizer.chattemplate is loaded, the model can execute arbitrary commands on the server.
Impact
An attacker can create a malicious model for SGLang to achieve RCE. Successful exploitation could allow arbitrary code execution in the context of the SGLang service, potentially leading to host compromise, lateral movement, data exfiltration, or denial-of-service (DoS) attacks. Deployments that expose the affected interface to untrusted networks are at the highest risk of exploitation.
Solution
To mitigate this vulnerability, it is recommended to use ImmutableSandboxedEnvironment instead of jinja2.Environment() to render the chat templates. This will prevent the execution of arbitrary Python code on the server. No response or patch was obtained during the coordination process.
Acknowledgements
Thanks to the reporter, Stuart Beck. This document was written by Christopher Cullen.