Lucene search
+L

535 matches found

Nuclei
Nuclei
added yesterday79 views

Ray Static File - Local File Inclusion

LFI in Ray's /static/ directory allows attackers to read any file on the server without authentication. id: CVE-2023-6020 info: name: Ray Static File - Local File Inclusion author: byt3bl33d3r severity: high description: | LFI in Ray's /static/ directory allows attackers to read any file on the...

7.5CVSS7.7AI score0.14652EPSS
Exploits3References2
Nuclei
Nuclei
added 2 days ago93 views

Ray API - Local File Inclusion

LFI in Ray's log API endpoint allows attackers to read any file on the server without authentication. id: CVE-2023-6021 info: name: Ray API - Local File Inclusion author: byt3bl33d3r severity: high description: | LFI in Ray's log API endpoint allows attackers to read any file on the server withou...

7.5CVSS7.7AI score0.37076EPSS
Exploits11References2
Nuclei
Nuclei
added 3 days ago79 views

Anyscale Ray - Remote Code Execution

Anyscale Ray 2.6.3 and 2.8.0 contain a remote code execution vulnerability due to insecure job submission API, allowing attackers to execute arbitrary code remotely if they have network access to the Ray Dashboard API. id: CVE-2023-48022 info: name: Anyscale Ray - Remote Code Execution author:...

9.8CVSS7.3AI score0.81512EPSS
Exploits6References6
EUVD
EUVD
added 2026/07/11 12:31 a.m.6 views

EUVD-2026-43075

Cross-Site Request Forgery CSRF vulnerability in Drupal Ray Enterprise Translation allows Cross Site Request Forgery. This issue affects Ray Enterprise Translation versions: from 0.0.0 to 4.0.4, from 4.1.0 to 4.1.4, from 11.0.0 to 11.0.4...

6.1AI score0.00118EPSS
Exploits0References2
NVD
NVD
added 2026/07/10 10:16 p.m.6 views

CVE-2026-15080

Cross-Site Request Forgery CSRF vulnerability in Drupal Ray Enterprise Translation allows Cross Site Request Forgery. This issue affects Ray Enterprise Translation versions: from 0.0.0 to 4.0.4, from 4.1.0 to 4.1.4, from 11.0.0 to 11.0.4...

4.3CVSS0.00118EPSS
Exploits0References1
CVE
CVE
added 2026/07/10 9:46 p.m.12 views

CVE-2026-15080

Summary: CVE-2026-15080 is a CSRF vulnerability in Ray Enterprise Translation for Drupal. The issue affects versions 0.0.0–4.0.4, 4.1.0–4.1.4, and 11.0.0–11.0.4. The root cause, as described in the connected PT-2026-56660 entry, is that the module fails to protect several state-changing administr...

4.3CVSS6.1AI score0.00118EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/07/10 9:46 p.m.37 views

CVE-2026-15080 Ray Enterprise Translation - Moderately critical - Cross site request forgery - SA-CONTRIB-2026-071

Cross-Site Request Forgery CSRF vulnerability in Drupal Ray Enterprise Translation allows Cross Site Request Forgery. This issue affects Ray Enterprise Translation versions: from 0.0.0 to 4.0.4, from 4.1.0 to 4.1.4, from 11.0.0 to 11.0.4...

0.00118EPSS
Exploits0References1
OSV
OSV
added 2026/07/10 9:46 p.m.3 views

CVE-2026-15080 Ray Enterprise Translation - Moderately critical - Cross site request forgery - SA-CONTRIB-2026-071

Cross-Site Request Forgery CSRF vulnerability in Drupal Ray Enterprise Translation allows Cross Site Request Forgery. This issue affects Ray Enterprise Translation versions: from 0.0.0 to 4.0.4, from 4.1.0 to 4.1.4, from 11.0.0 to 11.0.4...

4.3CVSS6.1AI score0.00118EPSS
Exploits0References5
Drupal
Drupal
added 2026/07/08 12:0 a.m.8 views

Ray Enterprise Translation - Moderately critical - Cross site request forgery - SA-CONTRIB-2026-071

The Lingotek Ray Enterprise Translation provides multilingual site management. The module fails to protect several state-changing administrative routes against Cross Site Request Forgery attacks. An attacker could trick a privileged user into visiting a crafted page that triggers actions such as...

4.3CVSS5.9AI score0.00118EPSS
Exploits0References3
NVD
NVD
added 2026/07/01 5:16 p.m.9 views

CVE-2026-57516

Ray prior to 2.56.0 contains an unsafe deserialization vulnerability in the WebDataset reader that allows attackers to achieve remote code execution by supplying a malicious tar archive to the readwebdataset function. The defaultdecoder function in webdatasetdatasource.py unconditionally calls...

8.8CVSS0.00493EPSS
Exploits1References5
EUVD
EUVD
added 2026/07/01 4:36 p.m.9 views

EUVD-2026-41089

Ray prior to 2.56.0 contains an unsafe deserialization vulnerability in the WebDataset reader that allows attackers to achieve remote code execution by supplying a malicious tar archive to the readwebdataset function. The defaultdecoder function in webdatasetdatasource.py unconditionally calls...

8.8CVSS6.6AI score0.00493EPSS
Exploits1References5
Cvelist
Cvelist
added 2026/07/01 4:36 p.m.41 views

CVE-2026-57516 Ray < 2.56.0 Unsafe Deserialization RCE via WebDataset Reader

Ray prior to 2.56.0 contains an unsafe deserialization vulnerability in the WebDataset reader that allows attackers to achieve remote code execution by supplying a malicious tar archive to the readwebdataset function. The defaultdecoder function in webdatasetdatasource.py unconditionally calls...

8.8CVSS0.00493EPSS
Exploits1References5
CVE
CVE
added 2026/07/01 4:36 p.m.28 views

CVE-2026-57516

Ray prior to 2.56.0 is affected via the WebDataset reader flaw in which _default_decoder() deserializes tar entries using pickle.loads for .pkl/.pickle and torch.load for .pt/.pth, enabling remote code execution inside Ray remote workers when processing a malicious tar archive. Affected component...

8.8CVSS6.6AI score0.00493EPSS
Exploits1References5Affected Software1
Vulnrichment
Vulnrichment
added 2026/07/01 4:36 p.m.7 views

CVE-2026-57516 Ray < 2.56.0 Unsafe Deserialization RCE via WebDataset Reader

Ray prior to 2.56.0 contains an unsafe deserialization vulnerability in the WebDataset reader that allows attackers to achieve remote code execution by supplying a malicious tar archive to the readwebdataset function. The defaultdecoder function in webdatasetdatasource.py unconditionally calls...

8.8CVSS6.6AI score0.00493EPSS
Exploits1References5
OSV
OSV
added 2026/07/01 4:36 p.m.8 views

CVE-2026-57516 Ray < 2.56.0 Unsafe Deserialization RCE via WebDataset Reader

Ray prior to 2.56.0 contains an unsafe deserialization vulnerability in the WebDataset reader that allows attackers to achieve remote code execution by supplying a malicious tar archive to the readwebdataset function. The defaultdecoder function in webdatasetdatasource.py unconditionally calls...

8.6CVSS6.8AI score0.00493EPSS
Exploits1References8
OSV
OSV
added 2026/06/29 11:50 a.m.7 views

PYSEC-2026-516 Ray Missing Authorization vulnerability

LFI in Ray's /static/ directory allows attackers to read any file on the server without authentication. The issue is fixed in version 2.8.1+. Ray maintainers response can be found here:...

9.3CVSS7AI score0.81512EPSS
Exploits22References7
OSV
OSV
added 2026/06/29 11:50 a.m.8 views

PYSEC-2026-515 Ray Path Traversal vulnerability

LFI in Ray's log API endpoint allows attackers to read any file on the server without authentication. The issue is fixed in version 2.8.1+. Ray maintainers response can be found here:...

9.3CVSS7AI score0.81512EPSS
Exploits22References7
OSV
OSV
added 2026/06/29 11:50 a.m.9 views

PYSEC-2026-517 Ray has arbitrary code execution via jobs submission API

Anyscale Ray allows a remote attacker to execute arbitrary code via the job submission API. NOTE: the vendor's position is that this report is irrelevant because Ray, as stated in its documentation, is not intended for use outside of a strictly controlled network environment...

9.8CVSS7.5AI score0.81512EPSS
Exploits6References17
OSV
OSV
added 2026/06/29 11:50 a.m.7 views

PYSEC-2026-519 Ray OS Command Injection vulnerability

A command injection exists in Ray's cpuprofile URL parameter allowing attackers to execute os commands on the system running the ray dashboard remotely without authentication...

9.8CVSS7.2AI score0.81512EPSS
Exploits22References7
OSV
OSV
added 2026/06/29 11:50 a.m.10 views

PYSEC-2026-518 Ray's New Token Authentication is Disabled By Default

Anyscale Ray 2.52.0 contains an insecure default configuration in which token-based authentication for Ray management interfaces including the dashboard and Jobs API is disabled unless explicitly enabled by setting RAYAUTHMODE=token. In the default unauthenticated state, a remote attacker with...

9.3CVSS6.3AI score0.00474EPSS
Exploits5References12
Rows per page
Query Builder