{"url":"http://public2.vulnerablecode.io/api/packages/374051?format=json","purl":"pkg:pypi/ray@2.55.0","type":"pypi","namespace":"","name":"ray","version":"2.55.0","qualifiers":{},"subpath":"","is_vulnerable":false,"next_non_vulnerable_version":"2.43.0","latest_non_vulnerable_version":"2.55.0","affected_by_vulnerabilities":[],"fixing_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/80974?format=json","vulnerability_id":"VCID-p5j5-4rvx-93ax","summary":"Ray is an AI compute engine. From version 2.54.0 to before version 2.55.0, Ray Data registers custom Arrow extension types (ray.data.arrow_tensor, ray.data.arrow_tensor_v2, ray.data.arrow_variable_shaped_tensor) globally in PyArrow. When PyArrow reads a Parquet file containing one of these extension types, it calls __arrow_ext_deserialize__ on the field's metadata bytes. Ray's implementation passes these bytes directly to cloudpickle.loads(), achieving arbitrary code execution during schema parsing, before any row data is read. This issue has been patched in version 2.55.0.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-41486","reference_id":"","reference_type":"","scores":[{"value":"0.00045","scoring_system":"epss","scoring_elements":"0.14198","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-41486"},{"reference_url":"https://github.com/ray-project/ray/pull/54831","reference_id":"","reference_type":"","scores":[{"value":"8.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/ray-project/ray/pull/54831"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-41486","reference_id":"","reference_type":"","scores":[{"value":"8.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-41486"},{"reference_url":"https://github.com/ray-project/ray/pull/62056","reference_id":"62056","reference_type":"","scores":[{"value":"8.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2026-05-12T02:07:47Z/"}],"url":"https://github.com/ray-project/ray/pull/62056"},{"reference_url":"https://github.com/ray-project/ray/commit/c02bd31ae31996805868baa446a131a8d304525f","reference_id":"c02bd31ae31996805868baa446a131a8d304525f","reference_type":"","scores":[{"value":"8.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2026-05-12T02:07:47Z/"}],"url":"https://github.com/ray-project/ray/commit/c02bd31ae31996805868baa446a131a8d304525f"},{"reference_url":"https://github.com/ray-project/ray/security/advisories/GHSA-mw35-8rx3-xf9r","reference_id":"GHSA-mw35-8rx3-xf9r","reference_type":"","scores":[{"value":"8.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2026-05-12T02:07:47Z/"}],"url":"https://github.com/ray-project/ray/security/advisories/GHSA-mw35-8rx3-xf9r"},{"reference_url":"https://github.com/ray-project/ray/releases/tag/ray-2.55.0","reference_id":"ray-2.55.0","reference_type":"","scores":[{"value":"8.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2026-05-12T02:07:47Z/"}],"url":"https://github.com/ray-project/ray/releases/tag/ray-2.55.0"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/374051?format=json","purl":"pkg:pypi/ray@2.55.0","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/ray@2.55.0"}],"aliases":["CVE-2026-41486","GHSA-mw35-8rx3-xf9r"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-p5j5-4rvx-93ax"}],"risk_score":null,"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/ray@2.55.0"}