ModelTC Team

2 exploits Active since Feb 2026
CVE-2026-26220 WRITEUP CRITICAL WRITEUP
LightLLM <=1.1.0 - Unauthenticated RCE
LightLLM version 1.1.0 and prior contain an unauthenticated remote code execution vulnerability in PD (prefill-decode) disaggregation mode. The PD master node exposes WebSocket endpoints that receive binary frames and pass the data directly to pickle.loads() without authentication or validation. A remote attacker who can reach the PD master can send a crafted payload to achieve arbitrary code execution.
CVE-2026-26220 WRITEUP CRITICAL WRITEUP
LightLLM <=1.1.0 - Unauthenticated RCE
LightLLM version 1.1.0 and prior contain an unauthenticated remote code execution vulnerability in PD (prefill-decode) disaggregation mode. The PD master node exposes WebSocket endpoints that receive binary frames and pass the data directly to pickle.loads() without authentication or validation. A remote attacker who can reach the PD master can send a crafted payload to achieve arbitrary code execution.