Rollup: Arbitrary File Write via Path Traversal v<2.80/3.30/4.59
CVE-2026-27606 Published on February 25, 2026
Rollup 4 has Arbitrary File Write via Path Traversal
Rollup is a module bundler for JavaScript. Versions prior to 2.80.0, 3.30.0, and 4.59.0 of the Rollup module bundler (specifically v4.x and present in current source) is vulnerable to an Arbitrary File Write via Path Traversal. Insecure file name sanitization in the core engine allows an attacker to control output filenames (e.g., via CLI named inputs, manual chunk aliases, or malicious plugins) and use traversal sequences (`../`) to overwrite files anywhere on the host filesystem that the build process has permissions for. This can lead to persistent Remote Code Execution (RCE) by overwriting critical system or user configuration files. Versions 2.80.0, 3.30.0, and 4.59.0 contain a patch for the issue.
Vulnerability Analysis
CVE-2026-27606 is exploitable with network access, and does not require authorization privileges or user interaction. This vulnerability is considered to have a low attack complexity. An automatable proof of concept (POC) exploit exists. The potential impact of an exploit of this vulnerability is considered to have a high impact on confidentiality and integrity, and no impact on availability.
Weakness Type
What is a Directory traversal Vulnerability?
The software uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the software does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
CVE-2026-27606 has been classified to as a Directory traversal vulnerability or weakness.
Products Associated with CVE-2026-27606
Want to know whenever a new CVE is published for Red Hat products? stack.watch will email you.
Affected Versions
rollup:- Version < 2.80.0 is affected.
- Version >= 3.0.0, < 3.30.0 is affected.
- Version >= 4.0.0, < 4.59.0 is affected.
Vulnerable Packages
The following package name and versions may be associated with CVE-2026-27606
| Package Manager | Vulnerable Package | Versions | Fixed In |
|---|---|---|---|
| npm | rollup | >= 4.0.0, < 4.59.0 | 4.59.0 |
| npm | rollup | >= 3.0.0, < 3.30.0 | 3.30.0 |
| npm | rollup | < 2.80.0 | 2.80.0 |
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.