Back to overview

CVE-2026-15035

MEDIUM Exploitation: PoC
5.3
CVSS 3.1
Description
A vulnerability was found in bentoml OpenLLM 0.6.30. This affects the function async_run_command of the file src/openllm/common.py of the component Model Repository Directory Name Handler. Performing a manipulation of the argument cmd results in command injection. Attacking locally is a requirement. The exploit has been made public and could be used. The project was informed of the problem early through an issue report but has not responded yet.

Metadata

CVE ID
CVE-2026-15035
State
PUBLISHED
Assigner
VulDB
Reserved
2026-07-08 07:41 UTC
Published
2026-07-08 14:00 UTC
Last updated
2026-07-08 14:20 UTC
Primary CWE
CWE-77
Command Injection
Vendor / Product
bentoml / OpenLLM
Sources
cve.org  ·  NVD

Severity & Metrics

5.3 MEDIUM CVSS 3.1
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R
SSVC — CISA Coordinator
Exploitation
PoC
Automatable
no
Tech. Impact
partial
Affected products (1)
VendorProductPlatformVersions
bentoml OpenLLM 0.6.30
Weakness (CWE)
CWESourceDescription
CWE-74 cna Injection
CWE-77 cna Command Injection
CVSS scores (4)
ScoreSeverityVersionSourceVector
5.3 MEDIUM 3.1 cna CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R
5.3 MEDIUM 3.0 cna CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R
4.8 MEDIUM 4.0 cna CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P
4.3 N/D 2.0 cna AV:L/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR
References (7)
Back to overview