cbcvebase.
CVE-2026-27606
published 2026-02-25

CVE-2026-27606: Rollup is a module bundler for JavaScript. Versions prior to 2.80.0, 3.30.0, and 4.59.0 of the Rollup module bundler (specifically v4.x and present in current…

PriorityP268critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
1.40%
69.1th percentile
Rollup is a module bundler for JavaScript. Versions prior to 2.80.0, 3.30.0, and 4.59.0 of the Rollup module bundler (specifically v4.x and present in current source) is vulnerable to an Arbitrary File Write via Path Traversal. Insecure file name sanitization in the core engine allows an attacker to control output filenames (e.g., via CLI named inputs, manual chunk aliases, or malicious plugins) and use traversal sequences (`../`) to overwrite files anywhere on the host filesystem that the build process has permissions for. This can lead to persistent Remote Code Execution (RCE) by overwriting critical system or user configuration files. Versions 2.80.0, 3.30.0, and 4.59.0 contain a patch for the issue.

Affected

10 ranges
VendorProductVersion rangeFixed in
debiannode-rollup< node-rollup 3.30.0-1 (forky)node-rollup 3.30.0-1 (forky)
rolluprollup< 2.80.02.80.0
rolluprollup
rolluprollup
rolluprollup>= 0 < 2.80.02.80.0
rolluprollup>= 3.0.0 < 3.30.03.30.0
rolluprollup>= 4.0.0 < 4.59.04.59.0
rollupjsrollup< 2.80.02.80.0
rollupjsrollup>= 3.0.0 < 3.30.03.30.0
rollupjsrollup>= 4.0.0 < 4.59.04.59.0

Detection & IOCsextracted from sources · hover to see the quote

  • Detect path traversal sequences in Rollup output filenames — attacker-controlled filenames containing `../` sequences can be used to write files outside the intended output directory
  • Monitor Rollup build processes for output files written outside the expected output directory, especially to sensitive system or user configuration file paths
  • Audit Rollup CLI invocations, manual chunk alias configurations, and third-party plugin inputs for traversal sequences in named inputs or aliases
  • ·Vulnerability is present in Rollup v2.x < 2.80.0, v3.x < 3.30.0, and v4.x < 4.59.0; specifically called out as present in v4.x current source. Patched versions are 2.80.0, 3.30.0, and 4.59.0.
  • ·The root cause is insecure filename sanitization in Rollup's core engine — the engine does not strip or reject path traversal sequences from attacker-influenced output filenames.
  • ·Several Red Hat products are marked 'Affected' and have not yet received fixes, including openshift-pipelines/pipelines-hub-ui-rhel8, ansible-automation-platform-26/gateway-rhel9, automation-gateway, automation-platform-ui, and others. Some are marked 'Will not fix'.
  • ·Debian Bookworm, Bullseye, and Trixie remain open (unpatched) as of source publication; Forky and Sid are resolved with rollup 3.30.0-1.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv4.08.8HIGHCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
osv8.8HIGH
vendor_debian8.8HIGH
vendor_redhat8.8HIGH
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.