GHSA-v959-cwq9-7hr6: BentoML: SSTI via Unsandboxed Jinja2 in Dockerfile Generation
highvulnerability
security
Summary
BentoML's Dockerfile generation uses an unsandboxed Jinja2 template engine (a tool that processes template files with dynamic code) with dangerous extensions enabled, allowing attackers to embed malicious code in a template file. When a victim imports a malicious bento archive and runs the containerize command, the attacker's code executes directly on the victim's host machine before any container isolation happens, rather than inside a container where it would be restricted.
Vulnerability Details
EPSS (30-day exploit probability)
EPSS: 0.0%
Patch Available
Yes
Disclosure Date
April 3, 2026
Classification
Attack Type
Other
Attack SophisticationModerate
Impact (CIA+S)
integrityconfidentiality
Affected Vendors
Affected Packages
bentoml@<= 1.4.37 (fixed: 1.4.38)
Related Issues
Monthly digest — independent AI security research
Original source: https://github.com/advisories/GHSA-v959-cwq9-7hr6
First tracked: April 3, 2026 at 08:00 PM
Classified by LLM (prompt v3) · confidence: 95%