CVE-2026-35044 BentoML has a Server-Side Template Injection via unsandboxed Jinja2 Environment in Dockerfile generation

BentoML is a Python library for building online serving systems optimized for AI apps and model inference. Prior to 1.4.38, the Dockerfile generation function generatecontainerfile in src/bentoml/internal/container/generate.py uses an unsandboxed jinja2.Environment with the jinja2.ext.do extensio...

CVE-2026-35044

Summary (CVE-2026-35044) BentoML prior to 1.4.38 is vulnerable to server-side template injection via an unsandboxed Jinja2 environment used to render Dockerfile templates during containerization. attacker-controlled templates can execute arbitrary Python on the host during template rendering (not...

BentoML 安全漏洞

BentoML is an open-source model service library developed by BentoML. It is used to build high-performance and scalable artificial intelligence applications using Python. Versions of BentoML prior to 1.4.38 contained a security vulnerability. This vulnerability stemmed from the Dockerfile...

BentoML: SSTI via Unsandboxed Jinja2 in Dockerfile Generation

Summary The Dockerfile generation function generatecontainerfile in src/bentoml/internal/container/generate.py uses an unsandboxed jinja2.Environment with the jinja2.ext.do extension to render user-provided dockerfiletemplate files. When a victim imports a malicious bento archive and runs bentoml...

GHSA-V959-CWQ9-7HR6 BentoML: SSTI via Unsandboxed Jinja2 in Dockerfile Generation

Summary The Dockerfile generation function generatecontainerfile in src/bentoml/internal/container/generate.py uses an unsandboxed jinja2.Environment with the jinja2.ext.do extension to render user-provided dockerfiletemplate files. When a victim imports a malicious bento archive and runs bentoml...

PT-2026-30281

Commit ce53491 March 24 fixed command injection via system packages in Dockerfile templates and images.py by adding shlex.quote. However, the cloud deployment path in src/bentoml/ internal/cloud/deployment.py was not included in the fix. Line 1648 interpolates system packages directly into a shel...

PT-2026-30282

Summary The Dockerfile generation function generate containerfile in src/bentoml/ internal/container/generate.py uses an unsandboxed jinja2.Environment with the jinja2.ext.do extension to render user-provided dockerfile template files. When a victim imports a malicious bento archive and runs...

DEBIAN-CVE-2026-33747

BuildKit is a toolkit for converting source code to build artifacts in an efficient, expressive and repeatable manner. Prior to version 0.28.1, when using a custom BuildKit frontend, the frontend can craft an API message that causes files to be written outside of the BuildKit state directory for...

CVE-2026-33744

BentoML is affected by a Dockerfile command Injection via the docker.system_packages field in bentofile.yaml. The field’s values are interpolated directly into shell commands without sanitization, allowing a crafted package entry to execute arbitrary commands during bentoml containerize or docker...

CVE-2026-33744 BentoML has Dockerfile Command Injection via system_packages in bentofile.yaml

BentoML is a Python library for building online serving systems optimized for AI apps and model inference. Prior to 1.4.37, the docker.systempackages field in bentofile.yaml accepts arbitrary strings that are interpolated directly into Dockerfile RUN commands without sanitization. Since...

EUVD-2026-16513

BentoML has Dockerfile Command Injection via systempackages in bentofile.yaml...

BentoML has Dockerfile Command Injection via system_packages in bentofile.yaml

Summary The docker.systempackages field in bentofile.yaml accepts arbitrary strings that are interpolated directly into Dockerfile RUN commands without sanitization. Since systempackages is semantically a list of OS package names data, users do not expect values to be interpreted as shell command...

GHSA-JFJG-VC52-WQVF BentoML has Dockerfile Command Injection via system_packages in bentofile.yaml

Summary The docker.systempackages field in bentofile.yaml accepts arbitrary strings that are interpolated directly into Dockerfile RUN commands without sanitization. Since systempackages is semantically a list of OS package names data, users do not expect values to be interpreted as shell command...

PT-2026-28523

Name of the Vulnerable Software and Affected Versions BentoML versions prior to 1.4.37 Description BentoML is a Python library used for building online serving systems for AI applications and model inference. A flaw exists where the docker.system packages field within the bentofile.yaml file does...

OpenClaw has multiple E2E/test Dockerfiles that run all processes as root

Three Dockerfiles in scripts/docker/ and scripts/e2e/ lack a USER directive, meaning all processes run as uid 0 root. If any process is compromised, the attacker has root inside the container, making container breakout significantly easier. Partial fix 2026-02-08: Commit 28e1a65e added USER sandb...

CVE-2026-27208

bleon-ethical/api-gateway-deploy provides API gateway deployment. Version 1.0.0 is vulnerable to an attack chain involving OS Command Injection and Privilege Escalation. This allows an attacker to execute arbitrary commands with root privileges within the container, potentially leading to a...

Directory Traversal

Overview bentoml is a BentoML: Build Production-Grade AI Applications Affected versions of this package are vulnerable to Directory Traversal via the processing of user-supplied file paths in configuration fields description, docker.setupscript, docker.dockerfiletemplate, and conda.environmentyml...

GHSA-6R62-W2Q3-48HF BentoML has a Path Traversal via Bentofile Configuration

Summary BentoML's bentofile.yaml configuration allows path traversal attacks through multiple file path fields description, docker.setupscript, docker.dockerfiletemplate, conda.environmentyml. An attacker can craft a malicious bentofile that, when built by a victim, exfiltrates arbitrary files fr...

BentoML has a Path Traversal via Bentofile Configuration

Summary BentoML's bentofile.yaml configuration allows path traversal attacks through multiple file path fields description, docker.setupscript, docker.dockerfiletemplate, conda.environmentyml. An attacker can craft a malicious bentofile that, when built by a victim, exfiltrates arbitrary files fr...

MiracleLinux 8 : container-tools:rhel8 (AXSA:2024-9011:01)

The remote MiracleLinux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the AXSA:2024-9011:01 advisory. Podman: Buildah: cri-o: FIPS Crypto-Policy Directory Mounting Issue in containers/common Go Library CVE-2024-9341 Buildah: Podman: Improper Input...