CVE-2026-27606 - Vulnerability Analysis
CriticalCVSS: 9.8Last Updated: February 25, 2026
Rollup - Path Traversal
Published: February 25, 2026Updated: February 25, 2026PoC AvailableRemote Exploitable
Overview
Rollup < 2.80.0, < 3.30.0, and < 4.59.0 contains a path traversal caused by insecure file name sanitization in the core engine, letting attackers write arbitrary files and potentially achieve remote code execution, exploit requires control over output filenames.
Severity & Score
Severity: Critical
CVSS Score: 9.8
Impact
Attackers can overwrite files on the host filesystem, potentially leading to persistent remote code execution.
Mitigation
Upgrade to versions 2.80.0, 3.30.0, or 4.59.0 or later.
References
- https://github.com/rollup/rollup/commit/c60770d7aaf750e512c1b2774989ea4596e660b2
- https://github.com/rollup/rollup/commit/c8cf1f9c48c516285758c1e11f08a54f304fd44e
- https://github.com/rollup/rollup/commit/d6dee5e99bb82aac0bee1df4ab9efbde455452c3
- https://github.com/rollup/rollup/releases/tag/v2.80.0
- https://github.com/rollup/rollup/releases/tag/v3.30.0
- https://github.com/rollup/rollup/releases/tag/v4.59.0
- https://github.com/rollup/rollup/security/advisories/GHSA-mw96-cpmx-2vgc
Related Resources
Details
- CVE ID
- CVE-2026-27606
- Severity
- Critical
- CVSS Score
- 9.8
- Type
- path_traversal
- Status
- confirmed
CWE
- CWE-22
CVSS Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H