CVE-2026-27606
published 2026-02-25CVE-2026-27606: Rollup is a module bundler for JavaScript. Versions prior to 2.80.0, 3.30.0, and 4.59.0 of the Rollup module bundler (specifically v4.x and present in current…
PriorityP268critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
1.40%
69.1th percentile
Rollup is a module bundler for JavaScript. Versions prior to 2.80.0, 3.30.0, and 4.59.0 of the Rollup module bundler (specifically v4.x and present in current source) is vulnerable to an Arbitrary File Write via Path Traversal. Insecure file name sanitization in the core engine allows an attacker to control output filenames (e.g., via CLI named inputs, manual chunk aliases, or malicious plugins) and use traversal sequences (`../`) to overwrite files anywhere on the host filesystem that the build process has permissions for. This can lead to persistent Remote Code Execution (RCE) by overwriting critical system or user configuration files. Versions 2.80.0, 3.30.0, and 4.59.0 contain a patch for the issue.
Affected
10 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | node-rollup | < node-rollup 3.30.0-1 (forky) | node-rollup 3.30.0-1 (forky) |
| rollup | rollup | < 2.80.0 | 2.80.0 |
| rollup | rollup | — | — |
| rollup | rollup | — | — |
| rollup | rollup | >= 0 < 2.80.0 | 2.80.0 |
| rollup | rollup | >= 3.0.0 < 3.30.0 | 3.30.0 |
| rollup | rollup | >= 4.0.0 < 4.59.0 | 4.59.0 |
| rollupjs | rollup | < 2.80.0 | 2.80.0 |
| rollupjs | rollup | >= 3.0.0 < 3.30.0 | 3.30.0 |
| rollupjs | rollup | >= 4.0.0 < 4.59.0 | 4.59.0 |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect path traversal sequences in Rollup output filenames — attacker-controlled filenames containing `../` sequences can be used to write files outside the intended output directory ↗
- →Monitor Rollup build processes for output files written outside the expected output directory, especially to sensitive system or user configuration file paths ↗
- →Audit Rollup CLI invocations, manual chunk alias configurations, and third-party plugin inputs for traversal sequences in named inputs or aliases ↗
- ·Vulnerability is present in Rollup v2.x < 2.80.0, v3.x < 3.30.0, and v4.x < 4.59.0; specifically called out as present in v4.x current source. Patched versions are 2.80.0, 3.30.0, and 4.59.0. ↗
- ·The root cause is insecure filename sanitization in Rollup's core engine — the engine does not strip or reject path traversal sequences from attacker-influenced output filenames. ↗
- ·Several Red Hat products are marked 'Affected' and have not yet received fixes, including openshift-pipelines/pipelines-hub-ui-rhel8, ansible-automation-platform-26/gateway-rhel9, automation-gateway, automation-platform-ui, and others. Some are marked 'Will not fix'. ↗
- ·Debian Bookworm, Bullseye, and Trixie remain open (unpatched) as of source publication; Forky and Sid are resolved with rollup 3.30.0-1. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv4.08.8HIGHCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
osv8.8HIGH
vendor_debian8.8HIGH
vendor_redhat8.8HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
rollup: Rollup: Remote Code Execution via Path Traversal Vulnerability
vendor_redhat·2026-02-25·CVSS 8.8
CVE-2026-27606 [HIGH] CWE-22 rollup: Rollup: Remote Code Execution via Path Traversal Vulnerability
rollup: Rollup: Remote Code Execution via Path Traversal Vulnerability
Rollup is a module bundler for JavaScript. Versions prior to 2.80.0, 3.30.0, and 4.59.0 of the Rollup module bundler (specifically v4.x and present in current source) is vulnerable to an Arbitrary File Write via Path Traversal. Insecure file name sanitization in the core engine allows an attacker to control output filenames (e.g., via CLI named inputs, manual chunk aliases, or malicious plugins) and use traversal sequences (`../`) to overwrite files anywhere on the host filesystem that the build process has permissions for. This can lead to persistent Remote Code Execution (RCE) by overwriting critical system or user configuration files. Versions 2.80.0, 3.30.0, and 4.59.0 contain a patch for the issue.
A flaw was fou
Debian
CVE-2026-27606: node-rollup - Rollup is a module bundler for JavaScript. Versions prior to 2.80.0, 3.30.0, and...
vendor_debian·2026·CVSS 8.8
CVE-2026-27606 [HIGH] CVE-2026-27606: node-rollup - Rollup is a module bundler for JavaScript. Versions prior to 2.80.0, 3.30.0, and...
Rollup is a module bundler for JavaScript. Versions prior to 2.80.0, 3.30.0, and 4.59.0 of the Rollup module bundler (specifically v4.x and present in current source) is vulnerable to an Arbitrary File Write via Path Traversal. Insecure file name sanitization in the core engine allows an attacker to control output filenames (e.g., via CLI named inputs, manual chunk aliases, or malicious plugins) and use traversal sequences (`../`) to overwrite files anywhere on the host filesystem that the build process has permissions for. This can lead to persistent Remote Code Execution (RCE) by overwriting critical system or user configuration files. Versions 2.80.0, 3.30.0, and 4.59.0 contain a patch for the issue.
Scope: local
bookworm: open
bullseye: open
forky: resolved (fixed in 3.30.0-1)
sid: res
OSV
Rollup 4 has Arbitrary File Write via Path Traversal
osv·2026-02-25
CVE-2026-27606 [HIGH] Rollup 4 has Arbitrary File Write via Path Traversal
Rollup 4 has Arbitrary File Write via Path Traversal
### Summary
The Rollup module bundler (specifically v4.x and present in current source) is vulnerable to an Arbitrary File Write via Path Traversal. Insecure file name sanitization in the core engine allows an attacker to control output filenames (e.g., via CLI named inputs, manual chunk aliases, or malicious plugins) and use traversal sequences (`../`) to overwrite files anywhere on the host filesystem that the build process has permissions for. This can lead to persistent Remote Code Execution (RCE) by overwriting critical system or user configuration files.
### Details
The vulnerability is caused by the combination of two flawed components in the Rollup core:
1. **Improper Sanitization**: In `src/utils/sanitizeFileName.ts`, the `IN
GHSA
Rollup 4 has Arbitrary File Write via Path Traversal
ghsa·2026-02-25
CVE-2026-27606 [HIGH] CWE-22 Rollup 4 has Arbitrary File Write via Path Traversal
Rollup 4 has Arbitrary File Write via Path Traversal
### Summary
The Rollup module bundler (specifically v4.x and present in current source) is vulnerable to an Arbitrary File Write via Path Traversal. Insecure file name sanitization in the core engine allows an attacker to control output filenames (e.g., via CLI named inputs, manual chunk aliases, or malicious plugins) and use traversal sequences (`../`) to overwrite files anywhere on the host filesystem that the build process has permissions for. This can lead to persistent Remote Code Execution (RCE) by overwriting critical system or user configuration files.
### Details
The vulnerability is caused by the combination of two flawed components in the Rollup core:
1. **Improper Sanitization**: In `src/utils/sanitizeFileName.ts`, the `IN
OSV
CVE-2026-27606: Rollup is a module bundler for JavaScript
osv·2026-02-25·CVSS 8.8
CVE-2026-27606 [HIGH] CVE-2026-27606: Rollup is a module bundler for JavaScript
Rollup is a module bundler for JavaScript. Versions prior to 2.80.0, 3.30.0, and 4.59.0 of the Rollup module bundler (specifically v4.x and present in current source) is vulnerable to an Arbitrary File Write via Path Traversal. Insecure file name sanitization in the core engine allows an attacker to control output filenames (e.g., via CLI named inputs, manual chunk aliases, or malicious plugins) and use traversal sequences (`../`) to overwrite files anywhere on the host filesystem that the build process has permissions for. This can lead to persistent Remote Code Execution (RCE) by overwriting critical system or user configuration files. Versions 2.80.0, 3.30.0, and 4.59.0 contain a patch for the issue.
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2026-27606 rollup: Rollup: Remote Code Execution via Path Traversal Vulnerability
bugzilla·2026-02-25·CVSS 8.8
CVE-2026-27606 [HIGH] CVE-2026-27606 rollup: Rollup: Remote Code Execution via Path Traversal Vulnerability
CVE-2026-27606 rollup: Rollup: Remote Code Execution via Path Traversal Vulnerability
Rollup is a module bundler for JavaScript. Versions prior to 2.80.0, 3.30.0, and 4.59.0 of the Rollup module bundler (specifically v4.x and present in current source) is vulnerable to an Arbitrary File Write via Path Traversal. Insecure file name sanitization in the core engine allows an attacker to control output filenames (e.g., via CLI named inputs, manual chunk aliases, or malicious plugins) and use traversal sequences (`../`) to overwrite files anywhere on the host filesystem that the build process has permissions for. This can lead to persistent Remote Code Execution (RCE) by overwriting critical system or user configuration files. Versions 2.80.0, 3.30.0, and 4.59.0 contain a patch for the issue.
Wiz
CVE-2026-27606 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.8
CVE-2026-27606 [HIGH] CVE-2026-27606 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-27606 :
JavaScript vulnerability analysis and mitigation
../
Source : NVD
## 8.8
Score
Published February 25, 2026
Severity HIGH
CNA Score 8.8
Affected Technologies
JavaScript
Grafana
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 51.4
Exploitation Probability (EPSS) 0.3
Affected packages and libraries
grafana
golang-github-prometheus-promu
Sources
NVD
Chainguard Has Fix Added at: Mar 03, 2026
Debian 11, 12, 13 Severity MEDIUM No Fix Added at: Mar 02, 2026
Debian 14 Severity CRITICAL Has Fix Added at: Mar 02, 2026
Echo Severity CRITICAL No Fix Added at: Mar 02, 2026
npm Severity HIGH Has Fix Added at: Mar 02, 2026
Homebrew Severity CRITICAL Has Fix Added at:
https://github.com/rollup/rollup/commit/c60770d7aaf750e512c1b2774989ea4596e660b2https://github.com/rollup/rollup/commit/c8cf1f9c48c516285758c1e11f08a54f304fd44ehttps://github.com/rollup/rollup/commit/d6dee5e99bb82aac0bee1df4ab9efbde455452c3https://github.com/rollup/rollup/releases/tag/v2.80.0https://github.com/rollup/rollup/releases/tag/v3.30.0https://github.com/rollup/rollup/releases/tag/v4.59.0https://github.com/rollup/rollup/security/advisories/GHSA-mw96-cpmx-2vgchttps://access.redhat.com/errata/RHSA-2026:10175https://access.redhat.com/errata/RHSA-2026:13508https://access.redhat.com/errata/RHSA-2026:13512https://access.redhat.com/errata/RHSA-2026:13545https://access.redhat.com/errata/RHSA-2026:5132https://access.redhat.com/errata/RHSA-2026:5649https://access.redhat.com/errata/RHSA-2026:5665https://access.redhat.com/errata/RHSA-2026:6174https://access.redhat.com/errata/RHSA-2026:6802https://access.redhat.com/errata/RHSA-2026:8483https://access.redhat.com/security/cve/CVE-2026-27606https://bugzilla.redhat.com/show_bug.cgi?id=2442530https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-27606.json
2026-02-25
Published