Package impact
PyPI / bentoml
| CVE | Severity | CVSS | Risk | Published | Description | Impact |
|---|---|---|---|---|---|---|
| CVE-2026-44346 | high | 8.8 | 8.8 | 21h ago | Dockerfile command injection via envs[*].name in bentofile.yaml (sibling fix-bypass of CVE-2026-33744 and CVE-2026-35043) | |
| CVE-2026-44345 | high | 8.8 | 8.8 | 17d ago | BentoML Dockerfile command injection via docker.base_image (sister of pending GHSA-w2pm-x38x-jp44 / CVE-2026-33744 / CVE-2026-35043) | |
| CVE-2026-40610 | medium | 5.5 | 5.5 | 6d ago | BentoML has Information Disclosure in `bentoml build` via symlink traversal in the build context |