Skip to main content

Perry

2 CVEs product

Monthly

CVE-2026-53776 CRITICAL PATCH Act Now

Authentication bypass in Perry versions before 0.5.1166 allows remote attackers holding any previously issued bearer token to maintain authenticated access indefinitely, including after logout or administrative revocation. The flaw stems from hardcoded validate_exp=false logic in the stdlib JWT verification path, neutralizing token expiration entirely. No public exploit identified at time of analysis, but the trivial nature of replaying captured tokens against jwt.verify() calls makes this a high-priority fix.

Authentication Bypass Perry
NVD GitHub
CVSS 4.0
9.3
EPSS
0.4%
CVE-2026-53777 HIGH PATCH This Week

Path traversal in Perry (PerryTS) CLI versions before 0.5.1159 allows a malicious or compromised build server to write arbitrary files anywhere the Perry process can write, or exfiltrate arbitrary local files, by sending crafted artifact_name or download_path values in ArtifactReady WebSocket messages. No public exploit identified at time of analysis, but the upstream commit and tests confirm the issue and a patched release is available.

Path Traversal Perry
NVD GitHub
CVSS 4.0
8.6
EPSS
0.0%
EPSS 0% CVSS 9.3
CRITICAL PATCH Act Now

Authentication bypass in Perry versions before 0.5.1166 allows remote attackers holding any previously issued bearer token to maintain authenticated access indefinitely, including after logout or administrative revocation. The flaw stems from hardcoded validate_exp=false logic in the stdlib JWT verification path, neutralizing token expiration entirely. No public exploit identified at time of analysis, but the trivial nature of replaying captured tokens against jwt.verify() calls makes this a high-priority fix.

Authentication Bypass Perry
NVD GitHub
EPSS 0% CVSS 8.6
HIGH PATCH This Week

Path traversal in Perry (PerryTS) CLI versions before 0.5.1159 allows a malicious or compromised build server to write arbitrary files anywhere the Perry process can write, or exfiltrate arbitrary local files, by sending crafted artifact_name or download_path values in ArtifactReady WebSocket messages. No public exploit identified at time of analysis, but the upstream commit and tests confirm the issue and a patched release is available.

Path Traversal Perry
NVD GitHub

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy