CVE-2026-27606 - Vulnerability Analysis
CriticalCVSS: 9.8Last Updated: February 25, 2026
Rollup - Path Traversal
Overview
Rollup < 2.80.0, < 3.30.0, and < 4.59.0 contains a path traversal caused by insecure file name sanitization in the core engine, letting attackers write arbitrary files and potentially achieve remote code execution, exploit requires control over output filenames.
Severity & Score
Impact
Attackers can overwrite files on the host filesystem, potentially leading to persistent remote code execution.
Mitigation
Upgrade to versions 2.80.0, 3.30.0, or 4.59.0 or later.
References
- https://github.com/rollup/rollup/releases/tag/v3.30.0
- https://github.com/rollup/rollup/releases/tag/v4.59.0
- https://github.com/rollup/rollup/security/advisories/GHSA-mw96-cpmx-2vgc
- https://github.com/rollup/rollup/commit/c60770d7aaf750e512c1b2774989ea4596e660b2
- https://github.com/rollup/rollup/commit/c8cf1f9c48c516285758c1e11f08a54f304fd44e
- https://github.com/rollup/rollup/commit/d6dee5e99bb82aac0bee1df4ab9efbde455452c3
- https://github.com/rollup/rollup/releases/tag/v2.80.0
Social Media Activity(1 post)
š“ CVE-2026-27606 - Critical (9.8) Rollup is a module bundler for JavaScript. Versions prior to 2.80.0, 3.30.0, and 4.59.0 of the Rollup module bundler (specifically v4.x and present in current source) is vulnerable to an Arbitrary File Write via Path Traversal. Insecure file name ... š https://www.thehackerwire.com/vulnerability/CVE-2026-27606/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
View original postRelated Resources
Details
- CVE ID
- CVE-2026-27606
- Severity
- Critical
- CVSS Score
- 9.8
- Type
- path_traversal
- Status
- confirmed
- EPSS
- 47.5%
- Social Posts
- 1
CWE
- CWE-22
CVSS Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H