Lucene search
+L

6 matches found

CVE
CVE
added 2023/11/28 12:0 a.m.191 views

CVE-2023-48022

This CVE impacts Anyscale Ray versions 2.6.3 and 2.8.0, where the remote code execution (RCE) arises from an insecure job submission API. The vulnerability enables unauthenticated remote code execution if an attacker can reach the Ray Dashboard API over the network, as Ray’s API lacks proper auth...

9.8CVSS7.5AI score0.81512EPSS
In wild
CVE
CVE
added 2023/11/28 12:0 a.m.102 views

CVE-2023-48023

CVE-2023-48023 : The Ray Dashboard API (Ray versions 2.6.3–2.8.0) is affected by a Server-Side Request Forgery in the /log_proxy endpoint. The parameter does not validate input and accepts any HTTP(S) URL, enabling exploitation without authentication over the Ray Dashboard port (default 8265). Th...

9.1CVSS8.4AI score0.35052EPSS
CVE
CVE
added 2026/02/21 9:18 a.m.39 views

CVE-2026-27482

CVE-2026-27482 affects Ray’s dashboard HTTP server. In versions 2.53.0 and below, DELETE endpoints are unauthenticated, and the server may be reachable on 0.0.0.0, enabling a browser-based request (DNS rebinding or same-network) to issue DELETE requests that shut down Serve or delete jobs without...

6.5CVSS5.6AI score0.00256EPSS
CVE
CVE
added 2026/07/01 4:36 p.m.27 views

CVE-2026-57516

Ray prior to 2.56.0 is affected via the WebDataset reader flaw in which _default_decoder() deserializes tar entries using pickle.loads for .pkl/.pickle and torch.load for .pt/.pth, enabling remote code execution inside Ray remote workers when processing a malicious tar archive. Affected component...

8.8CVSS6.6AI score0.00493EPSS
CVE
CVE
added 2026/05/08 9:46 p.m.22 views

CVE-2026-41486

Ray contains a remote code execution flaw (CVE-2026-41486) observed in Ray 2.49.0–2.54.0 where PyArrow reads Parquet extension types in metadata and Ray passes the bytes to cloudpickle.loads() during schema parsing, enabling arbitrary code execution before any row data is read. The issue affects ...

8.9CVSS6.3AI score0.00473EPSS
CVE
CVE
added 2026/03/17 7:33 p.m.17 views

CVE-2026-32981

Ray Dashboard on port 8265 has a path traversal flaw in versions prior to 2.8.1 due to improper validation/sanitization of user-supplied paths in the static file handling, allowing access to files outside the static directory and causing local file disclosure. Reported with high severity (CVSS 3....

8.7CVSS5.8AI score0.00929EPSS