Main Vulnerability Database Vulnerabilities #VU121938

#VU121938 Code Injection in vLLM - CVE-2026-22807

Published: January 22, 2026

Vulnerability identifier: #VU121938

Vulnerability risk: High

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber

CVE-ID: CVE-2026-22807

CWE-ID: CWE-94

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
vLLM

Software vendor:
vLLM

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to improper input validation within auto_map dynamic module loading during model initialization. A remote attacker can execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Remediation

Install updates from vendor's website.

External links

https://github.com/vllm-project/vllm/security/advisories/GHSA-2pc9-4j83-qjmr

#VU121938 Code Injection in vLLM - CVE-2026-22807

Description

Remediation

External links

Please verify you're human