| Affected_by_vulnerabilities |
| 0 |
| url |
VCID-2kem-3zpv-9yfj |
| vulnerability_id |
VCID-2kem-3zpv-9yfj |
| summary |
BentoML Vulnerable to Arbitrary File Write via Symlink Path Traversal in Tar Extraction
The `safe_extract_tarfile()` function validates that each tar member's path is within the destination directory, but for symlink members it only validates the symlink's own path, **not the symlink's target**. An attacker can create a malicious bento/model tar file containing a symlink pointing outside the extraction directory, followed by a regular file that writes through the symlink, achieving arbitrary file write on the host filesystem. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2026-27905, GHSA-m6w7-qv66-g3mf
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-2kem-3zpv-9yfj |
|
| 1 |
| url |
VCID-7ma3-q9pr-5ubm |
| vulnerability_id |
VCID-7ma3-q9pr-5ubm |
| summary |
Insecure deserialization in BentoML
An insecure deserialization vulnerability exists in the BentoML framework, allowing remote code execution (RCE) by sending a specially crafted POST request. By exploiting this vulnerability, attackers can execute arbitrary commands on the server hosting the BentoML application. The vulnerability is triggered when a serialized object, crafted to execute OS commands upon deserialization, is sent to any valid BentoML endpoint. This issue poses a significant security risk, enabling attackers to compromise the server and potentially gain unauthorized access or control. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2024-2912, GHSA-hvj5-mvw9-93j3
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-7ma3-q9pr-5ubm |
|
| 2 |
|
| 3 |
| url |
VCID-8fmm-wxbk-7qcb |
| vulnerability_id |
VCID-8fmm-wxbk-7qcb |
| summary |
BentoML is a Python library for building online serving systems optimized for AI apps and model inference. Prior to 1.4.37, the `docker.system_packages` field in `bentofile.yaml` accepts arbitrary strings that are interpolated directly into Dockerfile `RUN` commands without sanitization. Since `system_packages` is semantically a list of OS package names (data), users do not expect values to be interpreted as shell commands. A malicious `bentofile.yaml` achieves arbitrary command execution during `bentoml containerize` / `docker build`. Version 1.4.37 fixes the issue. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2026-33744, GHSA-jfjg-vc52-wqvf, PYSEC-2026-157
|
| risk_score |
3.5 |
| exploitability |
0.5 |
| weighted_severity |
7.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-8fmm-wxbk-7qcb |
|
| 4 |
| url |
VCID-c64b-txym-9fgf |
| vulnerability_id |
VCID-c64b-txym-9fgf |
| summary |
BentoML has a Path Traversal via Bentofile Configuration
BentoML's `bentofile.yaml` configuration allows path traversal attacks through multiple file path fields (`description`, `docker.setup_script`, `docker.dockerfile_template`, `conda.environment_yml`). An attacker can craft a malicious bentofile that, when built by a victim, exfiltrates arbitrary files from the filesystem into the bento archive. This enables supply chain attacks where sensitive files (SSH keys, credentials, environment variables) are silently embedded in bentos and exposed when pushed to registries or deployed. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2026-24123, GHSA-6r62-w2q3-48hf
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-c64b-txym-9fgf |
|
| 5 |
| url |
VCID-fvk4-zxh6-kuhs |
| vulnerability_id |
VCID-fvk4-zxh6-kuhs |
| summary |
BentoML is a Python library for building online serving systems optimized for AI apps and model inference. Prior to 1.4.38, the cloud deployment path in src/bentoml/_internal/cloud/deployment.py was not included in the fix for CVE-2026-33744. Line 1648 interpolates system_packages directly into a shell command using an f-string without any quoting. The generated script is uploaded to BentoCloud as setup.sh and executed on the cloud build infrastructure during deployment, making this a remote code execution on the CI/CD tier. This vulnerability is fixed in 1.4.38. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2026-35043, GHSA-fgv4-6jr3-jgfw, PYSEC-2026-158
|
| risk_score |
3.5 |
| exploitability |
0.5 |
| weighted_severity |
7.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-fvk4-zxh6-kuhs |
|
| 6 |
| url |
VCID-ha3w-dtg7-4fbq |
| vulnerability_id |
VCID-ha3w-dtg7-4fbq |
| summary |
BentoML is a Python library for building online serving systems optimized for AI apps and model inference. Prior to 1.4.8, there was an insecure deserialization in BentoML's runner server. By setting specific headers and parameters in the POST request, it is possible to execute any unauthorized arbitrary code on the server, which will grant the attackers to have the initial access and information disclosure on the server. This vulnerability is fixed in 1.4.8. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2025-32375, GHSA-7v4r-c989-xh26, PYSEC-2025-32
|
| risk_score |
4.4 |
| exploitability |
0.5 |
| weighted_severity |
8.8 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-ha3w-dtg7-4fbq |
|
| 7 |
| url |
VCID-urh1-515z-s3fg |
| vulnerability_id |
VCID-urh1-515z-s3fg |
| summary |
BentoML is a Python library for building online serving systems optimized for AI apps and model inference. Prior to 1.4.38, the Dockerfile generation function generate_containerfile() in src/bentoml/_internal/container/generate.py uses an unsandboxed jinja2.Environment with the jinja2.ext.do extension to render user-provided dockerfile_template files. When a victim imports a malicious bento archive and runs bentoml containerize, attacker-controlled Jinja2 template code executes arbitrary Python directly on the host machine, bypassing all container isolation. This vulnerability is fixed in 1.4.38. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2026-35044, GHSA-v959-cwq9-7hr6, PYSEC-2026-159
|
| risk_score |
4.3 |
| exploitability |
0.5 |
| weighted_severity |
8.6 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-urh1-515z-s3fg |
|
| 8 |
|
|
|---|