PYSEC-2026-159

See a problem?

Import Source

https://github.com/pypa/advisory-database/blob/main/vulns/bentoml/PYSEC-2026-159.yaml

JSON Data

https://api.osv.dev/v1/vulns/PYSEC-2026-159

Aliases

CVE-2026-35044
GHSA-v959-cwq9-7hr6

Published

2026-04-06T18:16:41.990Z

Modified

2026-05-20T12:35:10.976510Z

Severity

9.6 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H CVSS Calculator

Summary

[none]

Details

BentoML is a Python library for building online serving systems optimized for AI apps and model inference. Prior to 1.4.38, the Dockerfile generation function generate_containerfile() in src/bentoml/internal/container/generate.py uses an unsandboxed jinja2.Environment with the jinja2.ext.do extension to render user-provided dockerfiletemplate files. When a victim imports a malicious bento archive and runs bentoml containerize, attacker-controlled Jinja2 template code executes arbitrary Python directly on the host machine, bypassing all container isolation. This vulnerability is fixed in 1.4.38.

References

https://github.com/bentoml/BentoML/security/advisories/GHSA-v959-cwq9-7hr6

Affected packages

PyPI / bentoml

Package

Name: bentoml; View open source insights on deps.dev
Purl: pkg:pypi/bentoml

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.4.38

Affected versions

0.*

0.0.1

0.0.2

0.0.3

0.0.5

0.0.6a0

0.0.7.dev0

0.0.7

0.0.8

0.0.8.post1

0.0.9

0.1.1

0.1.2

0.2.0

0.2.1

0.2.2

0.3.0

0.3.1

0.3.3

0.3.4

0.4.0

0.4.1

0.4.2

0.4.3

0.4.4

0.4.5

0.4.7

0.4.8

0.4.9

0.5.0

0.5.1

0.5.2

0.5.3

0.5.4

0.5.5

0.5.6

0.5.7

0.5.8

0.6.0

0.6.1

0.6.2

0.6.3

0.7.0

0.7.1

0.7.2

0.7.3

0.7.4

0.7.5

0.7.6

0.7.7

0.7.8

0.8.0

0.8.1

0.8.2

0.8.3

0.8.4

0.8.5

0.8.6

0.9.0rc0

0.9.0

0.9.1

0.9.2

0.10.0

0.10.1

0.11.dev0

0.11.0

0.12.0

0.12.1

0.13.0

0.13.1

0.13.2

1.*

1.0.0.dev0

1.0.0.dev1

1.0.0a1

1.0.0a2

1.0.0a3

1.0.0a4

1.0.0a5

1.0.0a6

1.0.0a7

1.0.0rc0

1.0.0rc1

1.0.0rc2

1.0.0rc3

1.0.0

1.0.2

1.0.3

1.0.4

1.0.5

1.0.6

1.0.7

1.0.8

1.0.9

1.0.10

1.0.11

1.0.12

1.0.13

1.0.14

1.0.15

1.0.16

1.0.17

1.0.18

1.0.19

1.0.20

1.0.21

1.0.22

1.0.23

1.0.24

1.0.25

1.1.0

1.1.1

1.1.2

1.1.3

1.1.4

1.1.5

1.1.6

1.1.7

1.1.8

1.1.9

1.1.10

1.1.11

1.2.0a0

1.2.0a1

1.2.0a2

1.2.0a3

1.2.0a4

1.2.0a5

1.2.0a6

1.2.0a7

1.2.0rc1

1.2.0

1.2.1a1

1.2.1

1.2.2

1.2.3

1.2.4

1.2.5

1.2.6

1.2.7

1.2.8

1.2.9

1.2.10

1.2.11

1.2.12

1.2.13

1.2.14

1.2.15

1.2.16

1.2.17

1.2.18

1.2.19

1.2.20

1.3.0a1

1.3.0a2

1.3.0a3

1.3.0

1.3.1

1.3.2

1.3.3

1.3.4.post1

1.3.5

1.3.6

1.3.7

1.3.8

1.3.9

1.3.10

1.3.11

1.3.12

1.3.13

1.3.14

1.3.15

1.3.16

1.3.17

1.3.18

1.3.19

1.3.20

1.3.21

1.3.22

1.4.0a1

1.4.0a2

1.4.0

1.4.1

1.4.2

1.4.3

1.4.4

1.4.5

1.4.6

1.4.7

1.4.8

1.4.9

1.4.10

1.4.11

1.4.12

1.4.13

1.4.14

1.4.15

1.4.16

1.4.17

1.4.18

1.4.19

1.4.20

1.4.21

1.4.22

1.4.23

1.4.24

1.4.25

1.4.26

1.4.27

1.4.28

1.4.29

1.4.30

1.4.31

1.4.32

1.4.33

1.4.34

1.4.35

1.4.36

1.4.37

Database specific

source

"https://github.com/pypa/advisory-database/blob/main/vulns/bentoml/PYSEC-2026-159.yaml"