PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-27606 Rollupjs CVE debrief

CVE-2026-27606 is a high-severity vulnerability in Rollup, a JavaScript module bundler, allowing for arbitrary file writes via path traversal. This can lead to persistent Remote Code Execution (RCE) by overwriting critical system or user configuration files. The vulnerability affects versions prior to 2.80.0, 3.30.0, and 4.59.0 of Rollup. The issue is caused by insecure file name sanitization in the core engine, allowing an attacker to control output filenames and use traversal sequences to overwrite files anywhere on the host filesystem that the build process has permissions for. To exploit this vulnerability, an attacker would need to manipulate input to the Rollup build process, such as CLI named inputs, manual chunk aliases, or through malicious plugins. The vulnerability has been patched in versions 2.80.0, 3.30.0, and 4.59.0 of Rollup.

Vendor
Rollupjs
Product
Rollup
CVSS
HIGH 8.8
CISA KEV
Not listed in stored evidence
Original CVE published
2026-02-25
Original CVE updated
2026-06-30
Advisory published
2026-02-25
Advisory updated
2026-06-30

Who should care

Developers and administrators using Rollup for JavaScript module bundling should be aware of this vulnerability and take immediate action to update to a patched version. Additionally, security teams and vulnerability managers should prioritize this CVE for assessment and remediation due to its high severity and potential for RCE. Users of Red Hat products that incorporate Rollup may also need to apply relevant errata.

Technical summary

The CVE-2026-27606 vulnerability in Rollup allows for arbitrary file writes via path traversal due to insecure file name sanitization. This can lead to persistent Remote Code Execution (RCE) by overwriting critical system or user configuration files. The vulnerability affects Rollup versions prior to 2.80.0, 3.30.0, and 4.59.0. The CVSS score for this vulnerability is 8.8, indicating a high severity. The vulnerability is classified under CWE-22, Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal').

Defensive priority

This vulnerability should be prioritized for immediate attention due to its high severity (CVSS score of 8.8) and potential for Remote Code Execution (RCE). Affected systems should be updated to versions 2.80.0, 3.30.0, or 4.59.0 of Rollup as soon as possible.

Recommended defensive actions

  • Update Rollup to version 2.80.0, 3.30.0, or 4.59.0 or later.
  • Review and restrict input to the Rollup build process to prevent manipulation.
  • Implement additional monitoring and logging to detect potential exploitation attempts.
  • Apply relevant Red Hat errata if using affected Red Hat products.
  • Conduct thorough vulnerability assessments and penetration testing to identify potential weaknesses.

Evidence notes

The CVE-2026-27606 vulnerability was publicly disclosed on February 25, 2026, and has since been modified on June 30, 2026. The vulnerability affects multiple versions of Rollup and has been patched in versions 2.80.0, 3.30.0, and 4.59.0. The CVSS score for this vulnerability is 8.8, indicating a high severity. The vulnerability is classified under CWE-22, Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal').

Official resources

This article is AI-assisted and based on the supplied source corpus.