Vendor
high
advisory
Arbitrary Code Execution via JavaScript Frontmatter in Prompty TypeScript Loader
1 TTP 1 CVEA high-severity vulnerability, CVE-2026-53597, in the Prompty TypeScript loader (`@prompty/core`) versions `>= 2.0.0-alpha.1 < 2.0.0-beta.3` allows arbitrary JavaScript code execution in the host Node.js process when parsing untrusted `.prompty` files due to improper handling of `gray-matter`'s executable frontmatter engines.
@prompty/core
arbitrary-code-execution
supply-chain
vulnerability
nodejs
typescript
1t
1c
high
advisory
Prompty Arbitrary File Read Vulnerability via File Reference Expansion (CVE-2026-53598)
2 TTPs 1 CVEA path traversal vulnerability, CVE-2026-53598, in Prompty loaders allows an attacker-controlled `.prompty` file to read arbitrary files accessible to the host application process due to improper validation of `${file:...}` references in frontmatter, leading to sensitive local file disclosure.
prompty +3
arbitrary-file-read
path-traversal
code-execution
2t
1c