All 8 CVE vulnerabilities found in BentoML, with AI-generated Chinese analysis, references, and POCs.
Vendor: bentoml
| CVE ID | Title | CVSS | Severity | Published |
|---|---|---|---|---|
| CVE-2026-35044 | BentoML has a Server-Side Template Injection via unsandboxed Jinja2 Environment in Dockerfile generation CWE-1336 | 8.8 | High | 2026-04-06 |
| CVE-2026-35043 | BentoML: command injection in cloud deployment setup script (deployment.py) CWE-78 | 7.8 | High | 2026-04-06 |
| CVE-2026-33744 | BentoML has Dockerfile Command Injection via system_packages in bentofile.yaml CWE-94 | 7.8 | High | 2026-03-27 |
| CVE-2026-27905 | BentoML has an Arbitrary File Write via Symlink Path Traversal in Tar Extraction CWE-59 | 7.4AI | HighAI | 2026-03-03 |
| CVE-2026-24123 | BentoML has a Path Traversal via Bentofile Configuration CWE-22 | 7.4 | High | 2026-01-26 |
| CVE-2025-54381 | BentoML is Vulnerable to an SSRF Attack Through File Upload Processing CWE-918 | 9.9 | Critical | 2025-07-29 |
| CVE-2025-32375 | Insecure Deserialization leads to RCE in BentoML's runner server CWE-502 | 9.8 | Critical | 2025-04-09 |
| CVE-2025-27520 | BentoML Allows Remote Code Execution (RCE) via Insecure Deserialization CWE-502 | 9.8 | Critical | 2025-04-04 |
All 8 known CVE vulnerabilities affecting BentoML with full Chinese analysis, references, and POCs where available.