A high-severity vulnerability in LMDeploy, a toolkit for managing large language models, was exploited in under 13 hours after its public disclosure. The flaw, identified as CVE-2026-33626 with a CVSS score of 7.5, allows attackers to exploit a Server-Side Request Forgery (SSRF) vulnerability, potentially granting access to sensitive data. This rapid exploitation underscores the importance of prompt patching and mitigation. The vulnerability's CVSS score indicates a significant risk, and its exploitation in the wild so soon after disclosure suggests that attackers are highly motivated to leverage this flaw. As a result, entities using LMDeploy should prioritize mitigation based on their exposure and available evidence of exploitation1. This active exploitation expands the attack surface, making it crucial for practitioners to take immediate action to protect their systems.
LMDeploy CVE-2026-33626 Flaw Exploited Within 13 Hours of Disclosure
⚠️ Critical Alert
Why This Matters
CVE-2026-33626 disclosure expands the active attack surface — prioritize based on your exposure and exploitation evidence.
References
- The Hacker News. (2026, April 24). LMDeploy CVE-2026-33626 Flaw Exploited Within 13 Hours of Disclosure. *The Hacker News*. https://thehackernews.com/2026/04/lmdeploy-cve-2026-33626-flaw-exploited.html
Original Source
The Hacker News
Read original →