๐Ÿ” CVE Alert

CVE-2026-15035

MEDIUM 5.3

bentoml OpenLLM Model Repository Directory Name common.py async_run_command command injection

CVSS Score
5.3
EPSS Score
0.0%
EPSS Percentile
0th

A vulnerability was found in bentoml OpenLLM 0.6.30. This affects the function async_run_command of the file src/openllm/common.py of the component Model Repository Directory Name Handler. Performing a manipulation of the argument cmd results in command injection. Attacking locally is a requirement. The exploit has been made public and could be used. The project was informed of the problem early through an issue report but has not responded yet.

CWE CWE-77 CWE-74
Vendor bentoml
Product openllm
Published Jul 8, 2026
Last Updated Jul 8, 2026
Stay Ahead of the Next One

Get instant alerts for bentoml openllm

Be the first to know when new medium vulnerabilities affecting bentoml openllm are published โ€” delivered to Slack, Telegram or Discord.

Get Free Alerts โ†’ Free ยท No credit card ยท 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability

Affected Versions

bentoml / OpenLLM
0.6.30

References

NVD โ†— CVE.org โ†— EPSS Data โ†—
vuldb.com: https://vuldb.com/vuln/376786 vuldb.com: https://vuldb.com/vuln/376786/cti vuldb.com: https://vuldb.com/cve/CVE-2026-15035 vuldb.com: https://vuldb.com/submit/850895 github.com: https://github.com/bentoml/OpenLLM/issues/1229 github.com: https://github.com/bentoml/OpenLLM/pull/1235 github.com: https://github.com/bentoml/OpenLLM/

Credits

๐Ÿ” geochen (VulDB User) VulDB CNA Team