Severity by source
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Local attack requiring low-privilege credentials with no scope change and limited Low-bounded impact across all three pillars.
Primary rating from Vendor (vuldb).
CVSS VectorVendor: vuldb
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
A vulnerability was found in bentoml OpenLLM 0.6.30. This affects the function async_run_command of the file src/openllm/common.py of the component Model Repository Directory Name Handler. Performing a manipulation of the argument cmd results in command injection. Attacking locally is a requirement. The exploit has been made public and could be used. The project was informed of the problem early through an issue report but has not responded yet.
AnalysisAI
Command injection in bentoml OpenLLM 0.6.30 allows local low-privilege users to execute arbitrary shell commands by supplying crafted model repository directory name arguments to the async_run_command function in src/openllm/common.py. A public proof-of-concept exploit is available per the CVSS 4.0 E:P modifier and disclosure notes, though no CISA KEV listing exists and the project had not responded to responsible disclosure at the time of reporting. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires local system access with at minimum low-privilege credentials (AV:L/PR:L per the CVSS 4.0 vector) - remote exploitation is not possible based on available data. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | Real-world risk is meaningfully constrained by several converging signals. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A local user with low-privilege access to a system running OpenLLM 0.6.30 crafts a model repository directory name containing shell metacharacters (e.g., semicolons, backticks, or pipe characters) and supplies it as input to an OpenLLM model management operation. The `async_run_command` function in `src/openllm/common.py` passes the unsanitized argument to a shell or subprocess context, causing injected commands to execute with the privileges of the OpenLLM process. … |
| Remediation | No vendor-released patch has been identified at time of analysis; the OpenLLM project had not responded to the responsible disclosure as of the report date. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same technique Command Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-42271
GHSA-6499-56p8-f7rq