Ray Data in versions 2.54.0 through 2.54.x registers custom PyArrow extension types globally. When PyArrow parses a Parquet file schema containing these extension types, the `__arrow_ext_deserialize__` method passes metadata bytes directly to `cloudpickle.loads()`, enabling arbitrary code execution during schema parsing before any row data is read. This deserialization of untrusted data (CWE-502) allows c [truncated]
A path traversal vulnerability was identified in Ray Dashboard (default port 8265) in Ray versions prior to 2.8.1. The vulnerability allows an attacker to access files outside the intended static directory using traversal sequences, resulting in local file disclosure. This issue has a CVSS score of 8.7 and is considered HIGH severity. The CVE was published on March 17, 2026, and last modified on June 30, [truncated]