Product
A path traversal vulnerability, CVE-2026-53598, in Prompty loaders allows an attacker-controlled `.prompty` file to read arbitrary files accessible to the host application process due to improper validation of `${file:...}` references in frontmatter, leading to sensitive local file disclosure.