CVE-2026-15035: A vulnerability was found in bentoml OpenLLM 0.6.30. This affects the function async_run_command of the file src/openllm
Summary
A command injection vulnerability (CWE-77, improper neutralization of special elements in commands) was found in bentoml OpenLLM version 0.6.30 in the async_run_command function, where an attacker can manipulate the cmd argument to execute unauthorized commands, though this requires local access to the system. The vulnerability has been publicly disclosed and the developers were notified but have not yet responded.
Vulnerability Details
5.3(medium)
EPSS: 0.0%
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
local
low
low
none
July 8, 2026
Classification
Affected Vendors
Related Issues
Original source: https://nvd.nist.gov/vuln/detail/CVE-2026-15035
First tracked: July 8, 2026 at 02:07 PM
Classified by LLM (prompt v3) · confidence: 85%