CVE-2026-53777 HIGH

CVE-2026-53777: Perry < 0.5.1159 Path Traversal via ArtifactReady WebSocket

Vendor Perryts
Product perry
Weakness CWE-22 · Path traversal
Published June 11, 2026
Last update June 11, 2026

CVSS base score

8.6/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

What the vulnerability does

01Description

Perry before 0.5.1159 contains a path traversal vulnerability that allows a malicious build server to write arbitrary content to any location writable by the running process by supplying unsanitized path components in the artifact_name field of ArtifactReady WebSocket messages. Attackers controlling the server URL can deliver traversal payloads through the artifact_name or download_path fields, causing the client to overwrite sensitive files or expose arbitrary local files to an attacker-accessible location.

Key dates

02Disclosure timeline

June 11, 2026 CVE published
June 11, 2026 Record updated

Related vulnerabilities

04Related CVE