{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-35044", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-31T21:06:06.428Z", "datePublished": "2026-04-06T17:13:43.133Z", "dateUpdated": "2026-04-06T18:49:59.815Z"}, "containers": {"cna": {"title": "BentoML has a Server-Side Template Injection via unsandboxed Jinja2 Environment in Dockerfile generation", "problemTypes": [{"descriptions": [{"cweId": "CWE-1336", "lang": "en", "description": "CWE-1336: Improper Neutralization of Special Elements Used in a Template Engine", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/bentoml/BentoML/security/advisories/GHSA-v959-cwq9-7hr6", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/bentoml/BentoML/security/advisories/GHSA-v959-cwq9-7hr6"}], "affected": [{"vendor": "bentoml", "product": "BentoML", "versions": [{"version": "< 1.4.38", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-06T17:13:43.133Z"}, "descriptions": [{"lang": "en", "value": "BentoML is a Python library for building online serving systems optimized for AI apps and model inference. Prior to 1.4.38, the Dockerfile generation function generate_containerfile() in src/bentoml/_internal/container/generate.py uses an unsandboxed jinja2.Environment with the jinja2.ext.do extension to render user-provided dockerfile_template files. When a victim imports a malicious bento archive and runs bentoml containerize, attacker-controlled Jinja2 template code executes arbitrary Python directly on the host machine, bypassing all container isolation. This vulnerability is fixed in 1.4.38."}], "source": {"advisory": "GHSA-v959-cwq9-7hr6", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-06T18:49:50.867463Z", "id": "CVE-2026-35044", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-06T18:49:59.815Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-35044", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-06T18:49:50.867463Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-06T18:49:56.893Z"}}], "cna": {"title": "BentoML has a Server-Side Template Injection via unsandboxed Jinja2 Environment in Dockerfile generation", "source": {"advisory": "GHSA-v959-cwq9-7hr6", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "bentoml", "product": "BentoML", "versions": [{"status": "affected", "version": "< 1.4.38"}]}], "references": [{"url": "https://github.com/bentoml/BentoML/security/advisories/GHSA-v959-cwq9-7hr6", "name": "https://github.com/bentoml/BentoML/security/advisories/GHSA-v959-cwq9-7hr6", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "BentoML is a Python library for building online serving systems optimized for AI apps and model inference. Prior to 1.4.38, the Dockerfile generation function generate_containerfile() in src/bentoml/_internal/container/generate.py uses an unsandboxed jinja2.Environment with the jinja2.ext.do extension to render user-provided dockerfile_template files. When a victim imports a malicious bento archive and runs bentoml containerize, attacker-controlled Jinja2 template code executes arbitrary Python directly on the host machine, bypassing all container isolation. This vulnerability is fixed in 1.4.38."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-1336", "description": "CWE-1336: Improper Neutralization of Special Elements Used in a Template Engine"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-06T17:13:43.133Z"}}}, "cveMetadata": {"cveId": "CVE-2026-35044", "state": "PUBLISHED", "dateUpdated": "2026-04-06T18:49:59.815Z", "dateReserved": "2026-03-31T21:06:06.428Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-06T17:13:43.133Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "BentoML is a Python library for building online serving systems optimized for AI apps and model inference. Prior to 1.4.38, the Dockerfile generation function generate_containerfile() in src/bentoml/_internal/container/generate.py uses an unsandboxed jinja2.Environment with the jinja2.ext.do extension to render user-provided dockerfile_template files. When a victim imports a malicious bento archive and runs bentoml containerize, attacker-controlled Jinja2 template code executes arbitrary Python directly on the host machine, bypassing all container isolation. This vulnerability is fixed in 1.4.38."}], "id": "CVE-2026-35044", "lastModified": "2026-04-06T18:16:41.990", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-06T18:16:41.990", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/bentoml/BentoML/security/advisories/GHSA-v959-cwq9-7hr6"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-1336"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.4.38)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "BentoML", "source": "cna", "vendor": "bentoml"}, "product": "bentoml", "vendor": "bentoml"}], "analysis": {"en": {"generated_at": "2026-04-06T21:39:40.584148+00:00", "value": {"mitigation_remediation": ["Check the installed BentoML version to verify if it is older than 1.4.38.", "Upgrade the BentoML package to version 1.4.38 or later to apply the fix.", "Restart any BentoML services or environments to ensure the new version is used.", "After upgrading, verify that Dockerfile generation no longer renders unsandboxed Jinja templates."], "summary": {"action": "Immediate Patch", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the BentoML library, specifically versions prior to 1.4.38. Any user deploying or containerizing a malicious bento archive with these versions is at risk. The Dockerfile generation function uses an unsandboxed Jinja2.Environment, enabling the issue. Versions 1.4.38 and later mitigate the flaw.", "description_and_impact": "BentoML contains a Server\u2011Side Template Injection that allows attacker\u2011controlled Jinja2 template code to run arbitrary Python on the host during Dockerfile generation. This means a malicious bento archive can cause the host system to execute arbitrary code, bypassing container isolation and compromising confidentiality, integrity, and availability.", "risk_and_exploitability": "The CVSS score is 8.8, indicating high severity. The lack of an EPSS score prevents precise exploitation likelihood estimation, but the presence of an unsandboxed template engine suggests that an attacker can exploit the flaw if they can supply a malicious bento archive. The vulnerability is not listed in CISA's KEV catalog. The attack vector is inferred to be from a malicious bento file supplied by a user or third\u2011party archive."}}}}, "created": "2026-04-06T21:29:54.708187+00:00", "updated": "2026-04-06T21:47:12.186540+00:00", "vendors": ["bentoml", "bentoml$PRODUCT$bentoml"]}