{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-35044", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-31T21:06:06.428Z", "datePublished": "2026-04-06T17:13:43.133Z", "dateUpdated": "2026-04-06T18:49:59.815Z"}, "containers": {"cna": {"title": "BentoML has a Server-Side Template Injection via unsandboxed Jinja2 Environment in Dockerfile generation", "problemTypes": [{"descriptions": [{"cweId": "CWE-1336", "lang": "en", "description": "CWE-1336: Improper Neutralization of Special Elements Used in a Template Engine", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/bentoml/BentoML/security/advisories/GHSA-v959-cwq9-7hr6", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/bentoml/BentoML/security/advisories/GHSA-v959-cwq9-7hr6"}], "affected": [{"vendor": "bentoml", "product": "BentoML", "versions": [{"version": "< 1.4.38", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-06T17:13:43.133Z"}, "descriptions": [{"lang": "en", "value": "BentoML is a Python library for building online serving systems optimized for AI apps and model inference. Prior to 1.4.38, the Dockerfile generation function generate_containerfile() in src/bentoml/_internal/container/generate.py uses an unsandboxed jinja2.Environment with the jinja2.ext.do extension to render user-provided dockerfile_template files. When a victim imports a malicious bento archive and runs bentoml containerize, attacker-controlled Jinja2 template code executes arbitrary Python directly on the host machine, bypassing all container isolation. This vulnerability is fixed in 1.4.38."}], "source": {"advisory": "GHSA-v959-cwq9-7hr6", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-06T18:49:50.867463Z", "id": "CVE-2026-35044", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-06T18:49:59.815Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-35044", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-06T18:49:50.867463Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-06T18:49:56.893Z"}}], "cna": {"title": "BentoML has a Server-Side Template Injection via unsandboxed Jinja2 Environment in Dockerfile generation", "source": {"advisory": "GHSA-v959-cwq9-7hr6", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "bentoml", "product": "BentoML", "versions": [{"status": "affected", "version": "< 1.4.38"}]}], "references": [{"url": "https://github.com/bentoml/BentoML/security/advisories/GHSA-v959-cwq9-7hr6", "name": "https://github.com/bentoml/BentoML/security/advisories/GHSA-v959-cwq9-7hr6", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "BentoML is a Python library for building online serving systems optimized for AI apps and model inference. Prior to 1.4.38, the Dockerfile generation function generate_containerfile() in src/bentoml/_internal/container/generate.py uses an unsandboxed jinja2.Environment with the jinja2.ext.do extension to render user-provided dockerfile_template files. When a victim imports a malicious bento archive and runs bentoml containerize, attacker-controlled Jinja2 template code executes arbitrary Python directly on the host machine, bypassing all container isolation. This vulnerability is fixed in 1.4.38."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-1336", "description": "CWE-1336: Improper Neutralization of Special Elements Used in a Template Engine"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-06T17:13:43.133Z"}}}, "cveMetadata": {"cveId": "CVE-2026-35044", "state": "PUBLISHED", "dateUpdated": "2026-04-06T18:49:59.815Z", "dateReserved": "2026-03-31T21:06:06.428Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-06T17:13:43.133Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:bentoml:bentoml:*:*:*:*:*:*:*:*", "matchCriteriaId": "0D86CC10-0560-4752-9FA9-485FD844D90B", "versionEndExcluding": "1.4.38", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "BentoML is a Python library for building online serving systems optimized for AI apps and model inference. Prior to 1.4.38, the Dockerfile generation function generate_containerfile() in src/bentoml/_internal/container/generate.py uses an unsandboxed jinja2.Environment with the jinja2.ext.do extension to render user-provided dockerfile_template files. When a victim imports a malicious bento archive and runs bentoml containerize, attacker-controlled Jinja2 template code executes arbitrary Python directly on the host machine, bypassing all container isolation. This vulnerability is fixed in 1.4.38."}], "id": "CVE-2026-35044", "lastModified": "2026-04-10T18:31:47.183", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.6, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 6.0, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-04-06T18:16:41.990", "references": [{"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/bentoml/BentoML/security/advisories/GHSA-v959-cwq9-7hr6"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-1336"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.4.38)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "BentoML", "source": "cna", "vendor": "bentoml"}, "product": "bentoml", "vendor": "bentoml"}], "analysis": {"en": {"generated_at": "2026-04-10T19:54:34.721829+00:00", "value": {"mitigation_remediation": ["Upgrade BentoML to version 1.4.38 or later.", "Avoid importing bento archives from untrusted sources; verify digital signatures or hashes before import.", "If an upgrade cannot be performed immediately, disable the Jinja2 'do' extension or otherwise sandbox the template rendering process to prevent code execution.", "Monitor system logs for unexpected Python execution or new processes during container creation."], "summary": {"action": "Immediate Patch", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "Any installation of BentoML before version 1.4.38 that performs containerization is affected. The vulnerability is triggered when a user imports a bento archive from an untrusted source and then executes the containerize operation, regardless of the underlying operating system or deployment environment.", "description_and_impact": "BentoML\u2019s Dockerfile generation function creates an unsandboxed Jinja2 environment that processes user\u2011provided templates. An attacker can embed malicious Jinja2 code into a bento archive; when a victim imports that archive and runs the containerize command, the template engine will execute arbitrary Python on the host machine. This bypasses container isolation and allows the attacker to run code with the privileges of the BentoML process, leading to full system compromise.", "risk_and_exploitability": "The severity is high with a CVSS score of 8.8. The probability of active exploitation is low, as indicated by an EPSS score below 1% and the absence of listing in the KEV catalog. Exploitation requires an attacker to supply a malicious bento archive to a victim that imports it and runs the containerization command; once triggered, the attacker gains arbitrary code execution on the host, putting all data and services at risk."}}}}, "created": "2026-04-06T21:29:54.708187+00:00", "updated": "2026-04-13T14:27:42.912075+00:00", "vendors": ["bentoml", "bentoml$PRODUCT$bentoml"]}