Lucene search
K

533 matches found

Nuclei
Nuclei
added 8 hours ago78 views

Ray Static File - Local File Inclusion

LFI in Ray's /static/ directory allows attackers to read any file on the server without authentication. id: CVE-2023-6020 info: name: Ray Static File - Local File Inclusion author: byt3bl33d3r severity: high description: | LFI in Ray's /static/ directory allows attackers to read any file on the...

7.5CVSS7.1AI score0.14652EPSS
Exploits3References2
Nuclei
Nuclei
added 2 days ago91 views

Ray API - Local File Inclusion

LFI in Ray's log API endpoint allows attackers to read any file on the server without authentication. id: CVE-2023-6021 info: name: Ray API - Local File Inclusion author: byt3bl33d3r severity: high description: | LFI in Ray's log API endpoint allows attackers to read any file on the server withou...

7.5CVSS7.1AI score0.37076EPSS
Exploits11References2
Nuclei
Nuclei
added 2 days ago78 views

Anyscale Ray - Remote Code Execution

Anyscale Ray 2.6.3 and 2.8.0 contain a remote code execution vulnerability due to insecure job submission API, allowing attackers to execute arbitrary code remotely if they have network access to the Ray Dashboard API. id: CVE-2023-48022 info: name: Anyscale Ray - Remote Code Execution author:...

9.8CVSS7.3AI score0.81512EPSS
Exploits6References6
EUVD
EUVD
added 4 days ago6 views

EUVD-2026-43075

Cross-Site Request Forgery CSRF vulnerability in Drupal Ray Enterprise Translation allows Cross Site Request Forgery. This issue affects Ray Enterprise Translation versions: from 0.0.0 to 4.0.4, from 4.1.0 to 4.1.4, from 11.0.0 to 11.0.4...

6.1AI score0.00118EPSS
Exploits0References2
NVD
NVD
added 5 days ago5 views

CVE-2026-15080

Cross-Site Request Forgery CSRF vulnerability in Drupal Ray Enterprise Translation allows Cross Site Request Forgery. This issue affects Ray Enterprise Translation versions: from 0.0.0 to 4.0.4, from 4.1.0 to 4.1.4, from 11.0.0 to 11.0.4...

4.3CVSS0.00118EPSS
Exploits0References1
Cvelist
Cvelist
added 5 days ago36 views

CVE-2026-15080 Ray Enterprise Translation - Moderately critical - Cross site request forgery - SA-CONTRIB-2026-071

Cross-Site Request Forgery CSRF vulnerability in Drupal Ray Enterprise Translation allows Cross Site Request Forgery. This issue affects Ray Enterprise Translation versions: from 0.0.0 to 4.0.4, from 4.1.0 to 4.1.4, from 11.0.0 to 11.0.4...

0.00118EPSS
Exploits0References1
OSV
OSV
added 5 days ago2 views

CVE-2026-15080 Ray Enterprise Translation - Moderately critical - Cross site request forgery - SA-CONTRIB-2026-071

Cross-Site Request Forgery CSRF vulnerability in Drupal Ray Enterprise Translation allows Cross Site Request Forgery. This issue affects Ray Enterprise Translation versions: from 0.0.0 to 4.0.4, from 4.1.0 to 4.1.4, from 11.0.0 to 11.0.4...

4.3CVSS6.1AI score0.00118EPSS
Exploits0References5
CVE
CVE
added 5 days ago12 views

CVE-2026-15080

Cross-Site Request Forgery CSRF vulnerability in Drupal Ray Enterprise Translation allows Cross Site Request Forgery. This issue affects Ray Enterprise Translation versions: from 0.0.0 to 4.0.4, from 4.1.0 to 4.1.4, from 11.0.0 to 11.0.4...

4.3CVSS6.1AI score0.00118EPSS
Exploits0References1
NVD
NVD
added 2026/07/01 5:16 p.m.9 views

CVE-2026-57516

Ray prior to 2.56.0 contains an unsafe deserialization vulnerability in the WebDataset reader that allows attackers to achieve remote code execution by supplying a malicious tar archive to the readwebdataset function. The defaultdecoder function in webdatasetdatasource.py unconditionally calls...

8.8CVSS0.00493EPSS
Exploits1References5
OSV
OSV
added 2026/07/01 4:36 p.m.7 views

CVE-2026-57516 Ray < 2.56.0 Unsafe Deserialization RCE via WebDataset Reader

Ray prior to 2.56.0 contains an unsafe deserialization vulnerability in the WebDataset reader that allows attackers to achieve remote code execution by supplying a malicious tar archive to the readwebdataset function. The defaultdecoder function in webdatasetdatasource.py unconditionally calls...

8.6CVSS6.8AI score0.00493EPSS
Exploits1References8
CVE
CVE
added 2026/07/01 4:36 p.m.23 views

CVE-2026-57516

Ray prior to 2.56.0 is affected via the WebDataset reader flaw in which _default_decoder() deserializes tar entries using pickle.loads for .pkl/.pickle and torch.load for .pt/.pth, enabling remote code execution inside Ray remote workers when processing a malicious tar archive. Affected component...

8.8CVSS6.6AI score0.00493EPSS
Exploits1References5Affected Software1
Cvelist
Cvelist
added 2026/07/01 4:36 p.m.41 views

CVE-2026-57516 Ray < 2.56.0 Unsafe Deserialization RCE via WebDataset Reader

Ray prior to 2.56.0 contains an unsafe deserialization vulnerability in the WebDataset reader that allows attackers to achieve remote code execution by supplying a malicious tar archive to the readwebdataset function. The defaultdecoder function in webdatasetdatasource.py unconditionally calls...

8.8CVSS0.00493EPSS
Exploits1References5
EUVD
EUVD
added 2026/07/01 4:36 p.m.8 views

EUVD-2026-41089

Ray prior to 2.56.0 contains an unsafe deserialization vulnerability in the WebDataset reader that allows attackers to achieve remote code execution by supplying a malicious tar archive to the readwebdataset function. The defaultdecoder function in webdatasetdatasource.py unconditionally calls...

8.8CVSS6.6AI score0.00493EPSS
Exploits1References5
OSV
OSV
added 2026/06/29 11:50 a.m.5 views

PYSEC-2026-519 Ray OS Command Injection vulnerability

A command injection exists in Ray's cpuprofile URL parameter allowing attackers to execute os commands on the system running the ray dashboard remotely without authentication...

9.8CVSS7.2AI score0.81512EPSS
Exploits22References7
OSV
OSV
added 2026/06/29 11:50 a.m.6 views

PYSEC-2026-516 Ray Missing Authorization vulnerability

LFI in Ray's /static/ directory allows attackers to read any file on the server without authentication. The issue is fixed in version 2.8.1+. Ray maintainers response can be found here:...

9.3CVSS7AI score0.81512EPSS
Exploits22References7
OSV
OSV
added 2026/06/29 11:50 a.m.6 views

PYSEC-2026-515 Ray Path Traversal vulnerability

LFI in Ray's log API endpoint allows attackers to read any file on the server without authentication. The issue is fixed in version 2.8.1+. Ray maintainers response can be found here:...

9.3CVSS7AI score0.81512EPSS
Exploits22References7
OSV
OSV
added 2026/06/29 11:50 a.m.6 views

PYSEC-2026-517 Ray has arbitrary code execution via jobs submission API

Anyscale Ray allows a remote attacker to execute arbitrary code via the job submission API. NOTE: the vendor's position is that this report is irrelevant because Ray, as stated in its documentation, is not intended for use outside of a strictly controlled network environment...

9.8CVSS7.5AI score0.81512EPSS
Exploits6References17
OSV
OSV
added 2026/06/29 11:50 a.m.6 views

PYSEC-2026-520 Ray is vulnerable to Critical RCE via Safari & Firefox Browsers through DNS Rebinding Attack

Summary Developers working with Ray as a development tool can be exploited via a critical RCE vulnerability exploitable via Firefox and Safari. Due to the longstanding decision by the Ray Development team to not implement any sort of authentication on critical endpoints, like the /api/jobs &...

9.4CVSS7AI score0.00338EPSS
Exploits0References11
OSV
OSV
added 2026/06/29 11:50 a.m.9 views

PYSEC-2026-518 Ray's New Token Authentication is Disabled By Default

Anyscale Ray 2.52.0 contains an insecure default configuration in which token-based authentication for Ray management interfaces including the dashboard and Jobs API is disabled unless explicitly enabled by setting RAYAUTHMODE=token. In the default unauthenticated state, a remote attacker with...

9.3CVSS6.3AI score0.00474EPSS
Exploits5References12
RedhatCVE
RedhatCVE
added 2026/06/05 7:51 p.m.8 views

CVE-2025-24818

Nokia MantaRay NM is vulnerable to an OS command injection vulnerability due to improper neutralization of special elements used in an OS command in Log Search application...

8CVSS5.5AI score0.01006EPSS
Exploits0References1
Rows per page
Query Builder