rollup: Rollup: Remote Code Execution via Path Traversal Vulnerability

A flaw was found in Rollup, a JavaScript module bundler. Insecure file name sanitization in the core engine allows an attacker to control output filenames, potentially through command-line interface CLI inputs, manual chunk aliases, or malicious plugins. By using directory traversal sequences ../...

TencentOS Server 4: grafana (TSSA-2026:0168)

The version of Tencent Linux installed on the remote TencentOS Server 4 host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the TSSA-2026:0168 advisory. Package updates are available for TencentOS Server 4 that fix the following vulnerabilities:...

1k-tasks (>=4.0.0 <=4.2.2), @adobe/helix-deploy (>=9.3.8 <=9.3.16) +400 more potentially affected by CVE-2026-27606 via rollup (>=4.0.2 <=4.58.0)

rollup NPM version =4.0.2, =4.0.0, =9.3.8, =0.0.0, =0.0.0, =0.0.0, =0.0.0, =0.0.0, =0.0.0, =0.3.0, =2.17.15, =1.0.4, =1.9.12, =2.0.4, =2.0.4, =2.0.4, =2.0.5 and more Source cves: CVE-2026-27606 Source advisory: OSV:GHSA-MW96-CPMX-2VGC...

1k-tasks (>=3.1.0 <=3.6.1), @adobe/helix-deploy (>=9.0.19 <=9.3.7) +433 more potentially affected by CVE-2026-27606 via rollup (>=3.0.0 <=3.2.5)

rollup NPM version =3.0.0, =3.1.0, =9.0.19, =6.0.3, =0.6.0, =12.0.0, =0.0.3, =1.6.3, =3.2.1, =0.1.0, =0.0.4, =3.0.1-canary.8, =3.0.1-canary.12 - @clairview/api =23.1.0 - @clairview/extensions-sdk =12.1.1 and more Source cves: CVE-2026-27606 Source advisory: OSV:GHSA-MW96-CPMX-2VGC...

0.2-ui (=0.0.1), 0xgank-tea-advice-pull (=1.0.0) +15856 more potentially affected by CVE-2026-27606 via rollup (>=0.10.0 <=2.7.6)

rollup NPM version =0.10.0, =2.7.6 is affected by a known vulnerability. The following packages have a transitive dependency on rollup and may be impacted: - 0.2-ui =0.0.1 - 0xgank-tea-advice-pull =1.0.0 - 0xgank-tea-balance-pencil =1.0.0 - 0xgank-tea-brick-bell =1.0.0 - 0xgank-tea-cake-victory...

EUVD-2026-8589

Rollup 4 has Arbitrary File Write via Path Traversal...

1k-tasks (>=4.0.0 <=4.2.2), @adobe/helix-deploy (>=9.3.8 <=9.3.16) +400 more potentially affected by CVE-2026-27606 via rollup (>=4.0.2 <=4.58.0)

rollup NPM version =4.0.2, =4.0.0, =9.3.8, =0.0.0, =0.0.0, =0.0.0, =0.0.0, =0.0.0, =0.0.0, =0.3.0, =2.17.15, =1.0.4, =1.9.12, =2.0.4, =2.0.4, =2.0.4, =2.0.5 and more Source cves: CVE-2026-27606 Source advisory: SNYK:JS-ROLLUP-15340920...

0.2-ui (=0.0.1), 1k-tasks (>=2.3.0 <=3.0.2) +2392 more potentially affected by CVE-2026-27606 via rollup (>=2.0.0 <=2.7.6)

rollup NPM version =2.0.0, =2.3.0, =1.0.17, =1.0.0, =0.0.74, =0.0.14, =1.0.0, =0.0.10, =0.0.3, =1.0.1, =1.0.12, =1.0.0, =0.0.4, =0.0.5 and more Source cves: CVE-2026-27606 Source advisory: SNYK:JS-ROLLUP-15340920...

1k-tasks (>=3.1.0 <=3.6.1), @adobe/helix-deploy (>=9.0.19 <=9.3.7) +433 more potentially affected by CVE-2026-27606 via rollup (>=3.0.0 <=3.2.5)

rollup NPM version =3.0.0, =3.1.0, =9.0.19, =6.0.3, =0.6.0, =12.0.0, =0.0.3, =1.6.3, =3.2.1, =0.1.0, =0.0.4, =3.0.1-canary.8, =3.0.1-canary.12 - @clairview/api =23.1.0 - @clairview/extensions-sdk =12.1.1 and more Source cves: CVE-2026-27606 Source advisory: SNYK:JS-ROLLUP-15340920...

org.webjars.npm:github-com-DataTables-DataTablesSrc (=2.0.5), org.webjars.npm:vite (>=2.9.0 <=6.3.5) +1 more potentially affected by CVE-2026-27606 via org.webjars.npm:rollup (>=2.79.2 <=4.45.1)

org.webjars.npm:rollup MAVEN version =2.79.2, =2.9.0, =6.3.5 - org.webjars.npm:vitepress =1.0.0-draft.8 Source cves: CVE-2026-27606 Source advisory: SNYK:JAVA-ORGWEBJARSNPM-15340921...

CVE-2026-27606 Rollup 4 has Arbitrary File Write via Path Traversal

Rollup is a module bundler for JavaScript. Versions prior to 2.80.0, 3.30.0, and 4.59.0 of the Rollup module bundler specifically v4.x and present in current source is vulnerable to an Arbitrary File Write via Path Traversal. Insecure file name sanitization in the core engine allows an attacker t...

CVE-2026-27606 Rollup 4 has Arbitrary File Write via Path Traversal

Rollup is a module bundler for JavaScript. Versions prior to 2.80.0, 3.30.0, and 4.59.0 of the Rollup module bundler specifically v4.x and present in current source is vulnerable to an Arbitrary File Write via Path Traversal. Insecure file name sanitization in the core engine allows an attacker t...

CVE-2026-27606

CVE-2026-27606 affects Rollup: vulnerable in versions prior to 2.80.0, 3.30.0, and 4.59.0 due to insecure file name sanitization in the core engine, enabling arbitrary file write via path traversal. An attacker can use traversal sequences (e.g., ../) to overwrite files the build process can acces...

Rollup 路径遍历漏洞

Rollup is a JavaScript module developed by Rollup. Versions prior to Rollup 2.80.0, 3.30.0, and 4.59.0 contained a path traversal vulnerability. This vulnerability stemmed from improper filename handling in the core engine, which could allow arbitrary file writing and remote code execution throug...

PT-2026-21834

Name of the Vulnerable Software and Affected Versions Rollup versions prior to 2.80.0 Rollup versions prior to 3.30.0 Rollup versions prior to 4.59.0 Description Rollup, a JavaScript module bundler, contains a flaw due to insecure file name sanitization in its core engine. This allows an attacker...

Security Bulletin: Multiple vulnerabilities in IBM Controller

Summary Multiple vulnerabilities were addressed in IBM Controller. Vulnerability Details CVEID:CVE-2024-4067 DESCRIPTION: The NPM package micromatch prior to 4.0.8 is vulnerable to Regular Expression Denial of Service ReDoS. The vulnerability occurs in micromatch.braces in index.js because the...

DOM Clobbering

Rollup is vulnerable to a DOM Clobbering. The vulnerability is due to improper handling of import.meta properties in cjs/umd/iife formats, which allows an attacker to perform cross-site scripting XSS attacks through unsanitized HTML elements, like an img tag with an unsanitized name attribute...

1k-tasks (>=4.0.0 <=4.2.2), @adobe/helix-deploy (>=9.3.8 <=9.3.14) +214 more potentially affected by CVE-2024-47068 via rollup (>=4.0.2 <=4.22.2)

rollup NPM version =4.0.2, =4.0.0, =9.3.8, =0.0.0, =0.0.0, =0.0.0, =0.0.0, =0.0.0, =0.0.0, =2.17.15, =1.9.12, =18.1.0, =18.1.0, =12.0.1, =12.0.1, =13.0.0 and more Source cves: CVE-2024-47068 Source advisory: OSV:GHSA-GCX4-MW62-G8WM...

1k-tasks (>=3.1.0 <=3.6.1), @adobe/helix-deploy (>=9.0.19 <=9.3.7) +371 more potentially affected by CVE-2024-47068 via rollup (>=3.0.0 <=3.29.4)

rollup NPM version =3.0.0, =3.1.0, =9.0.19, =6.0.3, =0.6.0, =12.0.0, =0.1.0, =0.0.7, =3.0.1-canary.8, =2.3.1, =4.63.0, =1.0.0, =1.0.10 and more Source cves: CVE-2024-47068 Source advisory: OSV:GHSA-GCX4-MW62-G8WM...

0.2-ui (=0.0.1), 0xgank-tea-advice-pull (=1.0.0) +15791 more potentially affected by CVE-2024-47068 via rollup (>=0.10.0 <=2.79.1)

rollup NPM version =0.10.0, =2.79.1 is affected by a known vulnerability. The following packages have a transitive dependency on rollup and may be impacted: - 0.2-ui =0.0.1 - 0xgank-tea-advice-pull =1.0.0 - 0xgank-tea-balance-pencil =1.0.0 - 0xgank-tea-brick-bell =1.0.0 - 0xgank-tea-cake-victory...