Perry before 0.5.1159 contains a path traversal vulnerability that allows a malicious build server to write arbitrary content to any location writable by the running process by supplying unsanitized path components in the artifactname field of ArtifactReady WebSocket messages. Attackers controlling the server URL can deliver traversal payloads through the artifactname or download_path fields, causing the client to overwrite sensitive files or expose arbitrary local files to an attacker-accessible location.
{
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/53xxx/CVE-2026-53777.json",
"cna_assigner": "VulnCheck",
"cwe_ids": [
"CWE-22"
]
}