critical AI Issue
vLLM Critical RCE via Video URL Processing
| CVE | CVE-2026-22778 |
| Severity | critical |
| Status | open |
| Date | March 15, 2026 |
| Affects | vLLM inference servers with multimodal video support |
| Source | www.ox.security |
Details
CVSS 9.8. Two-stage exploit: heap address leak via PIL error messages, then JPEG2000 decoder flaw allows arbitrary code execution. Millions of AI inference servers potentially at risk. Patched in vLLM 0.14.1.