Rollup: Arbitrary File Write via Path Traversal v<2.80/3.30/4.59
CVE-2026-27606 Published on February 25, 2026

Rollup 4 has Arbitrary File Write via Path Traversal
Rollup is a module bundler for JavaScript. Versions prior to 2.80.0, 3.30.0, and 4.59.0 of the Rollup module bundler (specifically v4.x and present in current source) is vulnerable to an Arbitrary File Write via Path Traversal. Insecure file name sanitization in the core engine allows an attacker to control output filenames (e.g., via CLI named inputs, manual chunk aliases, or malicious plugins) and use traversal sequences (`../`) to overwrite files anywhere on the host filesystem that the build process has permissions for. This can lead to persistent Remote Code Execution (RCE) by overwriting critical system or user configuration files. Versions 2.80.0, 3.30.0, and 4.59.0 contain a patch for the issue.

Github Repository NVD

Vulnerability Analysis

CVE-2026-27606 is exploitable with network access, and does not require authorization privileges or user interaction. This vulnerability is considered to have a low attack complexity. An automatable proof of concept (POC) exploit exists. The potential impact of an exploit of this vulnerability is considered to have a high impact on confidentiality and integrity, and no impact on availability.

Attack Vector:
NETWORK
Attack Complexity:
LOW
Privileges Required:
NONE
User Interaction:
NONE
Scope:
UNCHANGED
Confidentiality Impact:
HIGH
Integrity Impact:
HIGH
Availability Impact:
NONE

Weakness Type

What is a Directory traversal Vulnerability?

The software uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the software does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

CVE-2026-27606 has been classified to as a Directory traversal vulnerability or weakness.


Products Associated with CVE-2026-27606

Want to know whenever a new CVE is published for Red Hat products? stack.watch will email you.

 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Affected Versions

rollup: Red Hat Ansible Automation Platform 2.5 for RHEL 8: Red Hat Ansible Automation Platform 2.5 for RHEL 9: Red Hat Ansible Automation Platform 2.6 for RHEL 9: Red Hat Ansible Automation Platform 2.6: Red Hat Developer Hub 1.8: Red Hat Developer Hub 1.9: Red Hat OpenShift Dev Spaces 3.27: Red Hat OpenShift Service Mesh 2.6: Red Hat Quay 3.10: Red Hat Trusted Artifact Signer 1.3: Red Hat OpenShift Pipelines: Red Hat Ansible Automation Platform 2: Red Hat Build of Podman Desktop - Tech Preview: Red Hat Fuse 7: Red Hat OpenShift distributed tracing 3: Red Hat Single Sign-On 7: Red Hat Self-service automation portal 2: Red Hat Ansible Automation Platform 2.6 for RHEL 10: Red Hat OpenShift Service Mesh 3: Red Hat Advanced Cluster Security 4: Red Hat AMQ Broker 7: Red Hat build of OptaPlanner 8: Red Hat Enterprise Linux 10: Red Hat Enterprise Linux 8: Red Hat Enterprise Linux 9: Red Hat Enterprise Linux AI (RHEL AI) 3: Red Hat JBoss Enterprise Application Platform 8: Red Hat JBoss Enterprise Application Platform Expansion Pack: Red Hat OpenShift Container Platform 4:

Vulnerable Packages

The following package name and versions may be associated with CVE-2026-27606

Package Manager Vulnerable Package Versions Fixed In
npm rollup >= 4.0.0, < 4.59.0 4.59.0
npm rollup >= 3.0.0, < 3.30.0 3.30.0
npm rollup < 2.80.0 2.80.0

Exploit Probability

EPSS
1.20%
Percentile
64.03%

EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.