PT-2026-56417 · Bentoml · Openllm

Geochen

·

Published

2026-07-08

·

Updated

2026-07-08

·

CVE-2026-15035

CVSS v3.1

5.3

Medium

VectorAV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
A vulnerability was found in bentoml OpenLLM 0.6.30. This affects the function async run command of the file src/openllm/common.py of the component Model Repository Directory Name Handler. Performing a manipulation of the argument cmd results in command injection. Attacking locally is a requirement. The exploit has been made public and could be used. The project was informed of the problem early through an issue report but has not responded yet.

Exploit

Fix

Special Elements Injection

Command Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-15035

Affected Products

Openllm