VulnerableCode Package Details - pkg:pypi/bentoml@0.3.4

Search for packages

Vulnerability	Summary	Fixed by
VCID-5mjt-8ze7-h7d9 Aliases: CVE-2026-44346 GHSA-w2pm-x38x-jp44 PYSEC-2026-190	BentoML is a Python library for building online serving systems optimized for AI apps and model inference. Prior to 1.4.39, a malicious bentofile.yaml containing a newline-injected value in envs[*].name produces unquoted RUN directives in the BentoML-generated Dockerfile. When the victim runs bentoml containerize on the imported bento, those RUN directives execute on the host during docker build. This vulnerability is fixed in 1.4.39.	1.4.39 Affected by 0 other vulnerabilities.
VCID-bv3z-1yux-kka6 Aliases: CVE-2026-35044 GHSA-v959-cwq9-7hr6 PYSEC-2026-159	BentoML is a Python library for building online serving systems optimized for AI apps and model inference. Prior to 1.4.38, the Dockerfile generation function generate_containerfile() in src/bentoml/_internal/container/generate.py uses an unsandboxed jinja2.Environment with the jinja2.ext.do extension to render user-provided dockerfile_template files. When a victim imports a malicious bento archive and runs bentoml containerize, attacker-controlled Jinja2 template code executes arbitrary Python directly on the host machine, bypassing all container isolation. This vulnerability is fixed in 1.4.38.	1.4.38 Affected by 2 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-twd8-ejvs-6ffv Aliases: CVE-2026-33744 GHSA-jfjg-vc52-wqvf PYSEC-2026-157	BentoML is a Python library for building online serving systems optimized for AI apps and model inference. Prior to 1.4.37, the `docker.system_packages` field in `bentofile.yaml` accepts arbitrary strings that are interpolated directly into Dockerfile `RUN` commands without sanitization. Since `system_packages` is semantically a list of OS package names (data), users do not expect values to be interpreted as shell commands. A malicious `bentofile.yaml` achieves arbitrary command execution during `bentoml containerize` / `docker build`. Version 1.4.37 fixes the issue.	1.4.37 Affected by 4 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-ujzb-bk9k-7yf2 Aliases: CVE-2026-44345 GHSA-78f9-r8mh-4xm2 PYSEC-2026-189	BentoML is a Python library for building online serving systems optimized for AI apps and model inference. Prior to 1.4.39, src/bentoml/_internal/container/frontend/dockerfile/templates/base_v2.j2 interpolates docker.base_image raw with no escaping, newline filtering, or validation. A malicious bento.yaml with a multi-line docker.base_image value smuggles arbitrary Dockerfile directives into the generated Dockerfile, and bentoml containerize then runs docker build which executes the injected RUN directives on the victim host. This vulnerability is fixed in 1.4.39.	1.4.39 Affected by 0 other vulnerabilities.
VCID-zxca-jerw-6ycm Aliases: CVE-2026-35043 GHSA-fgv4-6jr3-jgfw PYSEC-2026-158	BentoML is a Python library for building online serving systems optimized for AI apps and model inference. Prior to 1.4.38, the cloud deployment path in src/bentoml/_internal/cloud/deployment.py was not included in the fix for CVE-2026-33744. Line 1648 interpolates system_packages directly into a shell command using an f-string without any quoting. The generated script is uploaded to BentoCloud as setup.sh and executed on the cloud build infrastructure during deployment, making this a remote code execution on the CI/CD tier. This vulnerability is fixed in 1.4.38.	1.4.38 Affected by 2 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}

Vulnerability

Summary

Fixed by

VCID-5mjt-8ze7-h7d9
Aliases:
CVE-2026-44346
GHSA-w2pm-x38x-jp44
PYSEC-2026-190

BentoML is a Python library for building online serving systems optimized for AI apps and model inference. Prior to 1.4.39, a malicious bentofile.yaml containing a newline-injected value in envs[*].name produces unquoted RUN directives in the BentoML-generated Dockerfile. When the victim runs bentoml containerize on the imported bento, those RUN directives execute on the host during docker build. This vulnerability is fixed in 1.4.39.

1.4.39
Affected by 0 other vulnerabilities.

VCID-bv3z-1yux-kka6
Aliases:
CVE-2026-35044
GHSA-v959-cwq9-7hr6
PYSEC-2026-159

BentoML is a Python library for building online serving systems optimized for AI apps and model inference. Prior to 1.4.38, the Dockerfile generation function generate_containerfile() in src/bentoml/_internal/container/generate.py uses an unsandboxed jinja2.Environment with the jinja2.ext.do extension to render user-provided dockerfile_template files. When a victim imports a malicious bento archive and runs bentoml containerize, attacker-controlled Jinja2 template code executes arbitrary Python directly on the host machine, bypassing all container isolation. This vulnerability is fixed in 1.4.38.

1.4.38
Affected by 2 other vulnerabilities.

VCID-twd8-ejvs-6ffv
Aliases:
CVE-2026-33744
GHSA-jfjg-vc52-wqvf
PYSEC-2026-157

BentoML is a Python library for building online serving systems optimized for AI apps and model inference. Prior to 1.4.37, the `docker.system_packages` field in `bentofile.yaml` accepts arbitrary strings that are interpolated directly into Dockerfile `RUN` commands without sanitization. Since `system_packages` is semantically a list of OS package names (data), users do not expect values to be interpreted as shell commands. A malicious `bentofile.yaml` achieves arbitrary command execution during `bentoml containerize` / `docker build`. Version 1.4.37 fixes the issue.

1.4.37
Affected by 4 other vulnerabilities.

VCID-ujzb-bk9k-7yf2
Aliases:
CVE-2026-44345
GHSA-78f9-r8mh-4xm2
PYSEC-2026-189

BentoML is a Python library for building online serving systems optimized for AI apps and model inference. Prior to 1.4.39, src/bentoml/_internal/container/frontend/dockerfile/templates/base_v2.j2 interpolates docker.base_image raw with no escaping, newline filtering, or validation. A malicious bento.yaml with a multi-line docker.base_image value smuggles arbitrary Dockerfile directives into the generated Dockerfile, and bentoml containerize then runs docker build which executes the injected RUN directives on the victim host. This vulnerability is fixed in 1.4.39.

1.4.39
Affected by 0 other vulnerabilities.

VCID-zxca-jerw-6ycm
Aliases:
CVE-2026-35043
GHSA-fgv4-6jr3-jgfw
PYSEC-2026-158

BentoML is a Python library for building online serving systems optimized for AI apps and model inference. Prior to 1.4.38, the cloud deployment path in src/bentoml/_internal/cloud/deployment.py was not included in the fix for CVE-2026-33744. Line 1648 interpolates system_packages directly into a shell command using an f-string without any quoting. The generated script is uploaded to BentoCloud as setup.sh and executed on the cloud build infrastructure during deployment, making this a remote code execution on the CI/CD tier. This vulnerability is fixed in 1.4.38.

1.4.38
Affected by 2 other vulnerabilities.

Vulnerability	Summary	Aliases
This package is not known to fix vulnerabilities.

Vulnerability

Summary

Aliases

This package is not known to fix vulnerabilities.

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-06-04T16:14:39.407647+00:00	Pypa Importer	Affected by	VCID-5mjt-8ze7-h7d9	https://github.com/pypa/advisory-database/blob/main/vulns/bentoml/PYSEC-2026-190.yaml	38.6.0
2026-06-04T16:14:39.053131+00:00	Pypa Importer	Affected by	VCID-ujzb-bk9k-7yf2	https://github.com/pypa/advisory-database/blob/main/vulns/bentoml/PYSEC-2026-189.yaml	38.6.0
2026-06-02T04:24:29.046524+00:00	Pypa Importer	Affected by	VCID-bv3z-1yux-kka6	https://github.com/pypa/advisory-database/blob/main/vulns/bentoml/PYSEC-2026-159.yaml	38.6.0
2026-06-02T04:24:28.162134+00:00	Pypa Importer	Affected by	VCID-zxca-jerw-6ycm	https://github.com/pypa/advisory-database/blob/main/vulns/bentoml/PYSEC-2026-158.yaml	38.6.0
2026-06-02T04:24:24.895592+00:00	Pypa Importer	Affected by	VCID-twd8-ejvs-6ffv	https://github.com/pypa/advisory-database/blob/main/vulns/bentoml/PYSEC-2026-157.yaml	38.6.0