pkg:PyPI/bentoml

18 total CVEsCRITICAL6HIGH10MEDIUM1

✅ Check your installed version

All known vulnerabilities

  • CRITICAL9.9CVE-2025-54381BentoML SSRF Vulnerability in File Upload Processing
    >= 1.4.0, < 1.4.19
  • CRITICAL9.8CVE-2025-32375BentoML's runner server Vulnerable to Remote Code Execution (RCE) via Insecure Deserialization
    >= 1.0.0, < 1.4.8
  • CRITICAL9.8CVE-2025-32375BentoML's runner server Vulnerable to Remote Code Execution (RCE) via Insecure Deserialization
    >= 1.0.0a1, < 1.4.8
  • CRITICAL9.8CVE-2025-27520BentoML Allows Remote Code Execution (RCE) via Insecure Deserialization
    >= 1.3.4, < 1.4.3
  • CRITICAL9.8CVE-2024-9070BentoML deserialization vulnerability
    from 0, <= 1.4.5
  • CRITICAL9.8CVE-2024-2912Insecure deserialization in BentoML
    from 0, < 1.2.5
  • HIGH8.8CVE-2026-44346Dockerfile command injection via envs[*].name in bentofile.yaml (sibling fix-bypass of CVE-2026-33744 and CVE-2026-35043)
    from 0, < 1.4.39
  • HIGH8.8CVE-2026-44345BentoML Dockerfile command injection via docker.base_image (sister of pending GHSA-w2pm-x38x-jp44 / CVE-2026-33744 / CVE-2026-35043)
    from 0, < 1.4.39
  • HIGH8.8CVE-2026-35044BentoML: SSTI via Unsandboxed Jinja2 in Dockerfile Generation
    from 0, < 1.4.38
  • HIGH8.8CVE-2026-35044BentoML: SSTI via Unsandboxed Jinja2 in Dockerfile Generation
    from 0, < 1.4.38
  • HIGH7.8CVE-2026-35043BentoML: Command Injection in cloud deployment setup script
    from 0, < 1.4.38
  • HIGH7.8CVE-2026-35043BentoML: Command Injection in cloud deployment setup script
    from 0, < 1.4.38
  • HIGH7.8CVE-2026-33744BentoML has Dockerfile Command Injection via system_packages in bentofile.yaml
    from 0, < 1.4.37
  • HIGH7.8CVE-2026-33744BentoML has Dockerfile Command Injection via system_packages in bentofile.yaml
    from 0, < 1.4.37
  • HIGH7.5CVE-2024-9056BentoML Denial of Service (DoS) via Multipart Boundary
    from 0, <= 1.4.5
  • HIGH7.4CVE-2026-24123BentoML has a Path Traversal via Bentofile Configuration
    from 0, < 1.4.34
  • MEDIUM5.5CVE-2026-40610BentoML has Information Disclosure in `bentoml build` via symlink traversal in the build context
    from 0, < 1.4.39
  • CVE-2026-27905BentoML Vulnerable to Arbitrary File Write via Symlink Path Traversal in Tar Extraction
    from 0, < 1.4.36