PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-53777 PerryTS CVE debrief

CVE-2026-53777 is a HIGH-severity path traversal vulnerability in Perry, a software that allows a malicious build server to write arbitrary content to any location writable by the running process. The vulnerability is caused by unsanitized path components in the artifact_name field of ArtifactReady WebSocket messages. Attackers controlling the server URL can deliver traversal payloads through the artifact_name or download_path fields, causing the client to overwrite sensitive files or expose arbitrary local files to an attacker-accessible location.

Vendor
PerryTS
Product
perry
CVSS
HIGH 8.6
CISA KEV
Not listed in stored evidence
Original CVE published
2026-06-11
Original CVE updated
2026-06-11
Advisory published
2026-06-11
Advisory updated
2026-06-11

Who should care

Users of Perry before version 0.5.1159 should update to the latest version to mitigate this vulnerability. Additionally, administrators and security teams responsible for software supply chain security should be aware of this vulnerability and take necessary precautions to prevent exploitation.

Technical summary

The vulnerability is caused by a lack of proper sanitization of path components in the artifact_name field of ArtifactReady WebSocket messages. This allows a malicious build server to write arbitrary content to any location writable by the running process. The vulnerability has a CVSS score of 8.6 and is classified as HIGH severity.

Defensive priority

HIGH

Recommended defensive actions

  • Update Perry to version 0.5.1159 or later.
  • Restrict access to the build server and WebSocket connections.
  • Monitor for suspicious activity and implement additional security measures to prevent exploitation.

Evidence notes

The vulnerability was reported by Vulncheck and is tracked under CVE-2026-53777. The Perry project has released a patch for the vulnerability in version 0.5.1159.

Official resources

CVE-2026-53777 was published on 2026-06-11T16:16:24.873Z and modified on 2026-06-11T21:00:53.163Z.