CVE-2026-27606

CVSS v4.0

Critical

Vector

AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

Name of the Vulnerable Software and Affected Versions Rollup versions prior to 2.80.0 Rollup versions prior to 3.30.0 Rollup versions prior to 4.59.0

Description Rollup, a JavaScript module bundler, contains a flaw due to insecure file name sanitization in its core engine. This allows an attacker to manipulate output filenames using traversal sequences like ../ to overwrite files on the host filesystem where the build process has write access. This could lead to persistent Remote Code Execution (RCE) by overwriting critical system or user configuration files. The issue is present in versions 4.x and earlier.

Recommendations Update to Rollup version 2.80.0 or later. Update to Rollup version 3.30.0 or later. Update to Rollup version 4.59.0 or later.

Exploit

Fix

RCE

Path traversal

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-22

Related Identifiers

BDU:2026-04349

CVE-2026-27606

GHSA-MW96-CPMX-2VGC

OPENSUSE-SU-2026:10263-1

RHSA-2026:13508

RHSA-2026:13512

SUSE-SU-2026:1013-1

SUSE-SU-2026:1148-1

SUSE-SU-2026:1524-1

Affected Products

Rollup

CVE-2026-27606

Weakness Enumeration

Related Identifiers

Affected Products

References · 104