CVE-2026-53777

Perry before 0.5.1159 contains a path traversal vulnerability that allows a malicious build server to write arbitrary content to any location writable by the running process by supplying unsanitized path components in the artifact name field of ArtifactReady WebSocket messages. Attackers controlling the server URL can deliver traversal payloads through the artifact name or download path fields, causing the client to overwrite sensitive files or expose arbitrary local files to an attacker-accessible location.