CVE-2026-53777

Source
https://cve.org/CVERecord?id=CVE-2026-53777
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-53777.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-53777
Aliases
  • GHSA-x55v-q459-68ch
Published
2026-06-11T14:47:02.421Z
Modified
2026-07-08T08:12:28.726893Z
Severity
  • 8.6 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N CVSS Calculator
Summary
Perry < 0.5.1159 Path Traversal via ArtifactReady WebSocket
Details

Perry before 0.5.1159 contains a path traversal vulnerability that allows a malicious build server to write arbitrary content to any location writable by the running process by supplying unsanitized path components in the artifactname field of ArtifactReady WebSocket messages. Attackers controlling the server URL can deliver traversal payloads through the artifactname or download_path fields, causing the client to overwrite sensitive files or expose arbitrary local files to an attacker-accessible location.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/53xxx/CVE-2026-53777.json",
    "cna_assigner": "VulnCheck",
    "cwe_ids": [
        "CWE-22"
    ]
}
References

Affected packages

Git / github.com/perryts/perry

Affected ranges

Type
GIT
Repo
https://github.com/perryts/perry
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Fixed
Database specific
{
    "source": [
        "DESCRIPTION",
        "REFERENCES"
    ],
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "0.5.1159"
        }
    ]
}

Affected versions

v0.*
v0.2.173
v0.2.179
v0.2.183
v0.2.192
v0.2.194
v0.2.195
v0.2.197
v0.2.200
v0.2.201
v0.2.202
v0.2.203
v0.2.97
v0.3.0
v0.3.1
v0.4.0
v0.4.14
v0.4.15
v0.4.17
v0.4.18
v0.4.19
v0.4.2
v0.4.21
v0.4.22
v0.4.23
v0.4.24
v0.4.26
v0.4.27
v0.4.28
v0.4.29
v0.4.3
v0.4.30
v0.4.32
v0.4.36
v0.4.37
v0.4.38
v0.4.39
v0.4.40
v0.4.41
v0.4.45
v0.4.47
v0.4.51
v0.4.6
v0.4.8
v0.5.1008
v0.5.1011
v0.5.1019
v0.5.1020
v0.5.1021
v0.5.1022
v0.5.1024
v0.5.1025
v0.5.1028
v0.5.1112
v0.5.1116
v0.5.1117
v0.5.1120
v0.5.1121
v0.5.1122
v0.5.1125
v0.5.1129
v0.5.1150
v0.5.1151
v0.5.1158
v0.5.13
v0.5.14
v0.5.15
v0.5.343
v0.5.345
v0.5.359
v0.5.373
v0.5.374
v0.5.375
v0.5.379
v0.5.386
v0.5.450
v0.5.451
v0.5.452
v0.5.453
v0.5.454
v0.5.455
v0.5.456
v0.5.460
v0.5.463
v0.5.465
v0.5.509
v0.5.510
v0.5.511
v0.5.581
v0.5.582
v0.5.583
v0.5.585
v0.5.825
v0.5.832
v0.5.837
v0.5.840
v0.5.841
v0.5.842
v0.5.845
v0.5.846
v0.5.848
v0.5.849
v0.5.851
v0.5.852
v0.5.853
v0.5.854
v0.5.856
v0.5.857
v0.5.860
v0.5.861
v0.5.862
v0.5.863
v0.5.864
v0.5.865
v0.5.868
v0.5.871
v0.5.874
v0.5.875
v0.5.876
v0.5.877
v0.5.878
v0.5.879
v0.5.880
v0.5.881
v0.5.882
v0.5.883
v0.5.885
v0.5.886
v0.5.887
v0.5.888
v0.5.889
v0.5.890
v0.5.891
v0.5.921
v0.5.923

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-53777.json"