Vulnerability-Lookup

CVE-2026-33744 (GCVE-0-2026-33744)

Vulnerability from cvelistv5 – Published: 2026-03-27 00:45 – Updated: 2026-03-27 20:01

Title

BentoML has Dockerfile Command Injection via system_packages in bentofile.yaml

Summary

BentoML is a Python library for building online serving systems optimized for AI apps and model inference. Prior to 1.4.37, the `docker.system_packages` field in `bentofile.yaml` accepts arbitrary strings that are interpolated directly into Dockerfile `RUN` commands without sanitization. Since `system_packages` is semantically a list of OS package names (data), users do not expect values to be interpreted as shell commands. A malicious `bentofile.yaml` achieves arbitrary command execution during `bentoml containerize` / `docker build`. Version 1.4.37 fixes the issue.

Severity ?

7.8 (High)


                        
                          CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE

CWE-94 - Improper Control of Generation of Code ('Code Injection')

Assigner

GitHub_M

References

URL

Tags

https://github.com/bentoml/BentoML/security/advis…

x_refsource_CONFIRM

Impacted products

	Vendor	Product	Version
	bentoml	BentoML	Affected: < 1.4.37

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-33744",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-03-27T20:01:10.256531Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-03-27T20:01:40.600Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "BentoML",
          "vendor": "bentoml",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 1.4.37"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "BentoML is a Python library for building online serving systems optimized for AI apps and model inference. Prior to 1.4.37, the `docker.system_packages` field in `bentofile.yaml` accepts arbitrary strings that are interpolated directly into Dockerfile `RUN` commands without sanitization. Since `system_packages` is semantically a list of OS package names (data), users do not expect values to be interpreted as shell commands. A malicious `bentofile.yaml` achieves arbitrary command execution during `bentoml containerize` / `docker build`. Version 1.4.37 fixes the issue."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "HIGH",
            "baseScore": 7.8,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-94",
              "description": "CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-03-27T00:45:08.108Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/bentoml/BentoML/security/advisories/GHSA-jfjg-vc52-wqvf",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/bentoml/BentoML/security/advisories/GHSA-jfjg-vc52-wqvf"
        }
      ],
      "source": {
        "advisory": "GHSA-jfjg-vc52-wqvf",
        "discovery": "UNKNOWN"
      },
      "title": "BentoML has Dockerfile Command Injection via system_packages in bentofile.yaml"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-33744",
    "datePublished": "2026-03-27T00:45:08.108Z",
    "dateReserved": "2026-03-23T17:34:57.562Z",
    "dateUpdated": "2026-03-27T20:01:40.600Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-33744\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-03-27T01:16:21.007\",\"lastModified\":\"2026-03-30T13:26:29.793\",\"vulnStatus\":\"Undergoing Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"BentoML is a Python library for building online serving systems optimized for AI apps and model inference. Prior to 1.4.37, the `docker.system_packages` field in `bentofile.yaml` accepts arbitrary strings that are interpolated directly into Dockerfile `RUN` commands without sanitization. Since `system_packages` is semantically a list of OS package names (data), users do not expect values to be interpreted as shell commands. A malicious `bentofile.yaml` achieves arbitrary command execution during `bentoml containerize` / `docker build`. Version 1.4.37 fixes the issue.\"},{\"lang\":\"es\",\"value\":\"BentoML es una biblioteca de Python para construir sistemas de servicio en l\u00ednea optimizados para aplicaciones de IA e inferencia de modelos. Antes de la versi\u00f3n 1.4.37, el campo \u0027docker.system_packages\u0027 en \u0027bentofile.yaml\u0027 aceptaba cadenas arbitrarias que se interpolaban directamente en los comandos \u0027RUN\u0027 de Dockerfile sin sanitizaci\u00f3n. Dado que \u0027system_packages\u0027 es sem\u00e1nticamente una lista de nombres de paquetes del sistema operativo (datos), los usuarios no esperan que los valores se interpreten como comandos de shell. Un \u0027bentofile.yaml\u0027 malicioso logra la ejecuci\u00f3n arbitraria de comandos durante \u0027bentoml containerize\u0027 / \u0027docker build\u0027. La versi\u00f3n 1.4.37 corrige el problema.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\",\"baseScore\":7.8,\"baseSeverity\":\"HIGH\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.8,\"impactScore\":5.9}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-94\"}]}],\"references\":[{\"url\":\"https://github.com/bentoml/BentoML/security/advisories/GHSA-jfjg-vc52-wqvf\",\"source\":\"security-advisories@github.com\"}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-33744\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-03-27T20:01:10.256531Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-03-27T20:01:33.499Z\"}}], \"cna\": {\"title\": \"BentoML has Dockerfile Command Injection via system_packages in bentofile.yaml\", \"source\": {\"advisory\": \"GHSA-jfjg-vc52-wqvf\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 7.8, \"attackVector\": \"LOCAL\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"REQUIRED\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"bentoml\", \"product\": \"BentoML\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 1.4.37\"}]}], \"references\": [{\"url\": \"https://github.com/bentoml/BentoML/security/advisories/GHSA-jfjg-vc52-wqvf\", \"name\": \"https://github.com/bentoml/BentoML/security/advisories/GHSA-jfjg-vc52-wqvf\", \"tags\": [\"x_refsource_CONFIRM\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"BentoML is a Python library for building online serving systems optimized for AI apps and model inference. Prior to 1.4.37, the `docker.system_packages` field in `bentofile.yaml` accepts arbitrary strings that are interpolated directly into Dockerfile `RUN` commands without sanitization. Since `system_packages` is semantically a list of OS package names (data), users do not expect values to be interpreted as shell commands. A malicious `bentofile.yaml` achieves arbitrary command execution during `bentoml containerize` / `docker build`. Version 1.4.37 fixes the issue.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-94\", \"description\": \"CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-03-27T00:45:08.108Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2026-33744\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-03-27T20:01:40.600Z\", \"dateReserved\": \"2026-03-23T17:34:57.562Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2026-03-27T00:45:08.108Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}

FKIE_CVE-2026-33744

Vulnerability from fkie_nvd - Published: 2026-03-27 01:16 - Updated: 2026-03-30 13:26

Severity ?

7.8 (High) - CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Summary

References

	URL	Tags
	security-advisories@github.com	https://github.com/bentoml/BentoML/security/advisories/GHSA-jfjg-vc52-wqvf

Impacted products

	Vendor	Product	Version

JSON

To clipboard

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "BentoML is a Python library for building online serving systems optimized for AI apps and model inference. Prior to 1.4.37, the `docker.system_packages` field in `bentofile.yaml` accepts arbitrary strings that are interpolated directly into Dockerfile `RUN` commands without sanitization. Since `system_packages` is semantically a list of OS package names (data), users do not expect values to be interpreted as shell commands. A malicious `bentofile.yaml` achieves arbitrary command execution during `bentoml containerize` / `docker build`. Version 1.4.37 fixes the issue."
    },
    {
      "lang": "es",
      "value": "BentoML es una biblioteca de Python para construir sistemas de servicio en l\u00ednea optimizados para aplicaciones de IA e inferencia de modelos. Antes de la versi\u00f3n 1.4.37, el campo \u0027docker.system_packages\u0027 en \u0027bentofile.yaml\u0027 aceptaba cadenas arbitrarias que se interpolaban directamente en los comandos \u0027RUN\u0027 de Dockerfile sin sanitizaci\u00f3n. Dado que \u0027system_packages\u0027 es sem\u00e1nticamente una lista de nombres de paquetes del sistema operativo (datos), los usuarios no esperan que los valores se interpreten como comandos de shell. Un \u0027bentofile.yaml\u0027 malicioso logra la ejecuci\u00f3n arbitraria de comandos durante \u0027bentoml containerize\u0027 / \u0027docker build\u0027. La versi\u00f3n 1.4.37 corrige el problema."
    }
  ],
  "id": "CVE-2026-33744",
  "lastModified": "2026-03-30T13:26:29.793",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "LOCAL",
          "availabilityImpact": "HIGH",
          "baseScore": 7.8,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 1.8,
        "impactScore": 5.9,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-03-27T01:16:21.007",
  "references": [
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/bentoml/BentoML/security/advisories/GHSA-jfjg-vc52-wqvf"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Awaiting Analysis",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-94"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Primary"
    }
  ]
}

GHSA-JFJG-VC52-WQVF

Vulnerability from github – Published: 2026-03-26 07:32 – Updated: 2026-03-27 21:37

Summary

BentoML has Dockerfile Command Injection via system_packages in bentofile.yaml

Details

Summary

The docker.system_packages field in bentofile.yaml accepts arbitrary strings that are interpolated directly into Dockerfile RUN commands without sanitization. Since system_packages is semantically a list of OS package names (data), users do not expect values to be interpreted as shell commands. A malicious bentofile.yaml achieves arbitrary command execution during bentoml containerize / docker build.

Affected Component

src/_bentoml_sdk/images.py:85-89 — .format(packages=" ".join(packages)) into shell command
src/bentoml/_internal/container/frontend/dockerfile/templates/base_debian.j2:13 — {{ __options__system_packages | join(' ') }}
src/bentoml/_internal/bento/build_config.py:174 — No validation on system_packages
All distro install commands in src/bentoml/_internal/container/frontend/dockerfile/__init__.py

Affected Versions

All versions supporting docker.system_packages in bentofile.yaml, confirmed on 1.4.36.

Steps to Reproduce

Create a project directory with:

service.py:

import bentoml

@bentoml.service
class MyService:
    @bentoml.api
    def predict(self) -> str:
        return "hello"

bentofile.yaml:

service: "service:MyService"
docker:
  system_packages:
    - "curl && id > /tmp/bentoml-pwned #"

Run:

bentoml build

Examine the generated Dockerfile at ~/bentoml/bentos/my_service/<tag>/env/docker/Dockerfile. Line 41 will contain:

RUN apt-get install -q -y -o Dpkg::Options::=--force-confdef curl && id > /tmp/bentoml-pwned #

Running bentoml containerize my_service:<tag> will execute id > /tmp/bentoml-pwned as root during the Docker build.

Root Cause

The system_packages field values are treated as package names (data) by the user but are string-formatted directly into shell commands in the Dockerfile:

# images.py:85-89
self.commands.append(
    CONTAINER_METADATA[self.distro]["install_command"].format(
        packages=" ".join(packages)  # No escaping
    )
)

Where install_command is "apt-get install -q -y -o Dpkg::Options::=--force-confdef {packages}".

A bash_quote filter (wrapping shlex.quote) exists in the codebase and is registered in both Jinja2 environments, but it is only applied to environment variable values, never to system_packages.

Impact

Malicious repositories: An attacker publishes an ML project with a crafted bentofile.yaml. Anyone who clones and builds it gets arbitrary code execution during docker build.
CI/CD compromise: Automated pipelines running bentoml containerize on PRs that modify bentofile.yaml are vulnerable.
BentoCloud: If BentoCloud builds images from user-supplied bentofile.yaml, this could achieve RCE on cloud infrastructure.
Supply chain: Shared bentos or model repos in the BentoML ecosystem can contain malicious configs.

Suggested Fix

Option 1: Input validation (recommended)

Add a regex validator to system_packages in build_config.py:

import re

VALID_PACKAGE_NAME = re.compile(r'^[a-zA-Z0-9][a-zA-Z0-9.+\-_:]*$')

def _validate_system_packages(instance, attribute, value):
    if value is None:
        return
    for pkg in value:
        if not VALID_PACKAGE_NAME.match(pkg):
            raise BentoMLException(
                f"Invalid system package name: {pkg!r}. "
                "Package names may only contain alphanumeric characters, "
                "dots, plus signs, hyphens, underscores, and colons."
            )

system_packages: t.Optional[t.List[str]] = attr.field(
    default=None, validator=_validate_system_packages
)

Option 2: Output escaping

Apply shlex.quote() to each package name before interpolation in images.py:system_packages() and apply the bash_quote Jinja2 filter in base_debian.j2.

Severity ?

7.8 (High)


                  
                    CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 1.4.36"
      },
      "package": {
        "ecosystem": "PyPI",
        "name": "bentoml"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.4.37"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-33744"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-94"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-26T07:32:44Z",
    "nvd_published_at": "2026-03-27T01:16:21Z",
    "severity": "HIGH"
  },
  "details": "## Summary\n\nThe `docker.system_packages` field in `bentofile.yaml` accepts arbitrary strings that are interpolated directly into Dockerfile `RUN` commands without sanitization. Since `system_packages` is semantically a list of OS package names (data), users do not expect values to be interpreted as shell commands. A malicious `bentofile.yaml` achieves arbitrary command execution during `bentoml containerize` / `docker build`.\n\n## Affected Component\n\n- `src/_bentoml_sdk/images.py:85-89` \u2014 `.format(packages=\" \".join(packages))` into shell command\n- `src/bentoml/_internal/container/frontend/dockerfile/templates/base_debian.j2:13` \u2014 `{{ __options__system_packages | join(\u0027 \u0027) }}`\n- `src/bentoml/_internal/bento/build_config.py:174` \u2014 No validation on `system_packages`\n- All distro install commands in `src/bentoml/_internal/container/frontend/dockerfile/__init__.py`\n\n## Affected Versions\n\nAll versions supporting `docker.system_packages` in `bentofile.yaml`, confirmed on 1.4.36.\n\n## Steps to Reproduce\n\n1. Create a project directory with:\n\n**service.py:**\n```python\nimport bentoml\n\n@bentoml.service\nclass MyService:\n    @bentoml.api\n    def predict(self) -\u003e str:\n        return \"hello\"\n```\n\n**bentofile.yaml:**\n```yaml\nservice: \"service:MyService\"\ndocker:\n  system_packages:\n    - \"curl \u0026\u0026 id \u003e /tmp/bentoml-pwned #\"\n```\n\n2. Run:\n```bash\nbentoml build\n```\n\n3. Examine the generated Dockerfile at `~/bentoml/bentos/my_service/\u003ctag\u003e/env/docker/Dockerfile`. Line 41 will contain:\n```dockerfile\nRUN apt-get install -q -y -o Dpkg::Options::=--force-confdef curl \u0026\u0026 id \u003e /tmp/bentoml-pwned #\n```\n\n4. Running `bentoml containerize my_service:\u003ctag\u003e` will execute `id \u003e /tmp/bentoml-pwned` as root during the Docker build.\n\n## Root Cause\n\nThe `system_packages` field values are treated as package names (data) by the user but are string-formatted directly into shell commands in the Dockerfile:\n\n```python\n# images.py:85-89\nself.commands.append(\n    CONTAINER_METADATA[self.distro][\"install_command\"].format(\n        packages=\" \".join(packages)  # No escaping\n    )\n)\n```\n\nWhere `install_command` is `\"apt-get install -q -y -o Dpkg::Options::=--force-confdef {packages}\"`.\n\nA `bash_quote` filter (wrapping `shlex.quote`) exists in the codebase and is registered in both Jinja2 environments, but it is only applied to environment variable values, never to `system_packages`.\n\n## Impact\n\n1. **Malicious repositories**: An attacker publishes an ML project with a crafted `bentofile.yaml`. Anyone who clones and builds it gets arbitrary code execution during `docker build`.\n2. **CI/CD compromise**: Automated pipelines running `bentoml containerize` on PRs that modify `bentofile.yaml` are vulnerable.\n3. **BentoCloud**: If BentoCloud builds images from user-supplied `bentofile.yaml`, this could achieve RCE on cloud infrastructure.\n4. **Supply chain**: Shared bentos or model repos in the BentoML ecosystem can contain malicious configs.\n\n## Suggested Fix\n\n### Option 1: Input validation (recommended)\n\nAdd a regex validator to `system_packages` in `build_config.py`:\n\n```python\nimport re\n\nVALID_PACKAGE_NAME = re.compile(r\u0027^[a-zA-Z0-9][a-zA-Z0-9.+\\-_:]*$\u0027)\n\ndef _validate_system_packages(instance, attribute, value):\n    if value is None:\n        return\n    for pkg in value:\n        if not VALID_PACKAGE_NAME.match(pkg):\n            raise BentoMLException(\n                f\"Invalid system package name: {pkg!r}. \"\n                \"Package names may only contain alphanumeric characters, \"\n                \"dots, plus signs, hyphens, underscores, and colons.\"\n            )\n\nsystem_packages: t.Optional[t.List[str]] = attr.field(\n    default=None, validator=_validate_system_packages\n)\n```\n\n### Option 2: Output escaping\n\nApply `shlex.quote()` to each package name before interpolation in `images.py:system_packages()` and apply the `bash_quote` Jinja2 filter in `base_debian.j2`.",
  "id": "GHSA-jfjg-vc52-wqvf",
  "modified": "2026-03-27T21:37:31Z",
  "published": "2026-03-26T07:32:44Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/bentoml/BentoML/security/advisories/GHSA-jfjg-vc52-wqvf"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33744"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/bentoml/BentoML"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "BentoML has Dockerfile Command Injection via system_packages in bentofile.yaml"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2026-33744 (GCVE-0-2026-33744)

FKIE_CVE-2026-33744

GHSA-JFJG-VC52-WQVF

Summary

Affected Component

Affected Versions

Steps to Reproduce

Root Cause

Impact

Suggested Fix

Option 1: Input validation (recommended)

Option 2: Output escaping

Tags

Sightings

Nomenclature