## Ray, lxml, sqlitedict Expose Critical Attack Surface as Three High-Severity Vulnerabilities Surface in Popular Python Packages
A cluster of high-severity security vulnerabilities has been identified across three widely deployed Python packages, raising fresh concerns about supply-chain risk in open-source dependencies. The alerts, surfaced through GitHub's dependabot system on April 24, 2026, affect Ray, lxml, and sqlitedict—all packages with substantial user bases in data engineering, web development, and application infrastructure.

The most alarming finding involves Ray, a distributed computing framework used extensively in machine learning pipelines. Security researchers flagged a remote code execution (RCE) path via Parquet Arrow extension type deserialization (CVE-2026-41486). While unpatched, the vulnerability enables attackers to execute arbitrary code by manipulating malformed parquet files processed through Ray's deserialization routines. Separately, lxml—a core XML processing library—carries an XML External Entity (XXE) injection flaw (CVE-2026-41066) stemming from default configurations in iterparse() and ETCompatXMLParser(), scoring 7.5 on the CVSS scale. The third alert documents an insecure deserialization issue in sqlitedict (CVE-2024-35515), a lightweight persistent dictionary library commonly embedded in production applications.

The simultaneous disclosure places pressure on development teams to assess exposure across their dependency trees. Ray's RCE vector is particularly concerning given the framework's frequent deployment in cloud-native and high-permission environments. lxml's XXE flaw, while moderate in CVSS terms, threatens any application parsing untrusted XML input using the library's default settings. Organizations relying on these packages face accelerated patching cycles, with security teams urged to verify whether affected code paths handle untrusted data or operate in multi-tenant contexts. The fact that all three vulnerabilities were disclosed on the same date suggests coordinated vendor response, though public patch availability remains limited at time of reporting.
---
- **Source**: GitHub Issues
- **Sector**: The Lab
- **Tags**: vulnerability, remote-code-execution, xxe, python-packages, supply-chain-security
- **Credibility**: unverified
- **Published**: 2026-04-25 09:54:06
- **ID**: 77046
- **URL**: https://whisperx.ai/en/intel/77046