CVE-2026-53777
8.1 HIGHPerry before 0.5.1159 contains a path traversal vulnerability that allows a malicious build server to write arbitrary content to any loca...
Published: 2026-06-11 · Last updated: 2026-06-11
Severity and scoring
- CVSS
- 8.1 HIGH
- Vector
- CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
- CWE
- CWE-22
Description
Perry before 0.5.1159 contains a path traversal vulnerability that allows a malicious build server to write arbitrary content to any location writable by the running process by supplying unsanitized path components in the artifact_name field of ArtifactReady WebSocket messages. Attackers controlling the server URL can deliver traversal payloads through the artifact_name or download_path fields, causing the client to overwrite sensitive files or expose arbitrary local files to an attacker-accessible location.
Source: NVD
References
- [NVD]https://nvd.nist.gov/vuln/detail/CVE-2026-53777
- [Other]https://github.com/PerryTS/perry/commit/95e1043df8081f67038bffce847dd9ddb3dae046
- [Other]https://github.com/PerryTS/perry/pull/4989
- [Other]https://github.com/PerryTS/perry/releases/tag/v0.5.1159
- [Other]https://github.com/PerryTS/perry/security/advisories/GHSA-x55v-q459-68ch
- [Other]https://www.vulncheck.com/advisories/perry-path-traversal-via-artifactready-websocket
- [Other]https://github.com/PerryTS/perry/security/advisories/GHSA-x55v-q459-68ch
Related CVEs
Same CWE
- CVE-2026-47368 — A malicious actor with access to the network could exploit a Path Traversal vulnerability found in certain devices running UniFi OS to ob... (8.6 HIGH)
- CVE-2026-45171 — Incomplete input validation and improperly configured folder permissions within Idira Privileged Session Manager (PSM) versions prior to ...
- CVE-2025-24268 — A parsing issue in the handling of directory paths was addressed with improved path validation (5.5 MEDIUM)
- CVE-2026-49982 — tmp is a temporary file and directory creator for node.js (8.2 HIGH)
- CVE-2026-44705 — tmp is a temporary file and directory creator for node.js