NIXPKGS-2026-0971

GitHub issue published on

Permalink CVE-2026-35044

8.8 HIGH

CVSS version: 3.1
Attack vector (AV): NETWORK
Attack complexity (AC): LOW
Privileges required (PR): NONE
User interaction (UI): REQUIRED
Scope (S): UNCHANGED
Confidentiality impact (C): HIGH
Integrity impact (I): HIGH
Availability impact (A): HIGH

updated 3 weeks, 5 days ago by @LeSuisse Activity log

Created suggestion 3 weeks, 6 days ago
@LeSuisse accepted 3 weeks, 5 days ago
@LeSuisse published on GitHub 3 weeks, 5 days ago

BentoML has a Server-Side Template Injection via unsandboxed Jinja2 Environment in Dockerfile generation

BentoML is a Python library for building online serving systems optimized for AI apps and model inference. Prior to 1.4.38, the Dockerfile generation function generate_containerfile() in src/bentoml/_internal/container/generate.py uses an unsandboxed jinja2.Environment with the jinja2.ext.do extension to render user-provided dockerfile_template files. When a victim imports a malicious bento archive and runs bentoml containerize, attacker-controlled Jinja2 template code executes arbitrary Python directly on the host machine, bypassing all container isolation. This vulnerability is fixed in 1.4.38.