5 matches found
Exploit for OS Command Injection in Kubeai
CVE-2026-34940 — OS Command Injection in KubeAI via Model URL...
CVE-2026-34940
KubeAI is an AI inference operator for kubernetes. Prior to 0.23.2, the ollamaStartupProbeScript function in internal/modelcontroller/engineollama.go constructs a shell command string using fmt.Sprintf with unsanitized model URL components ref, modelParam. This shell command is executed via bash ...
CVE-2026-34940
KubeAI has a OS Command Injection vulnerability in the Ollama Engine startup probe. Before version 0.23.2, the ollamaStartupProbeScript() constructs a shell command via fmt.Sprintf using unsanitized model URL components (ref, modelParam) and runs it with bash -c as a Kubernetes startup probe. An ...
KubeAI: OS Command Injection via Model URL in Ollama Engine startup probe allows arbitrary command execution in model pods
CHAMP: Description Summary The ollamaStartupProbeScript function in internal/modelcontroller/engineollama.go constructs a shell command string using fmt.Sprintf with unsanitized model URL components ref, modelParam. This shell command is executed via bash -c as a Kubernetes startup probe. An...
Default configuration
TorchServe is a tool for serving and scaling PyTorch models in production. TorchServe default configuration lacks proper input validation, enabling third parties to invoke remote HTTP download requests and write files to the disk. This issue could be taken advantage of to compromise the integrity...