2 matches found
CVE-2024-47068
CVE-2024-47068 describes a DOM Clobbering vulnerability in Rollup, where bundling scripts using properties from import.meta (eg. import.meta.url) in formats like cjs/umd/iife can trigger XSS via attacker-controlled, scriptless HTML elements. Affected versions are Rollup < 2.79.2, < 3.29.5, ...
CVE-2026-27606
CVE-2026-27606 affects Rollup: vulnerable in versions prior to 2.80.0, 3.30.0, and 4.59.0 due to insecure file name sanitization in the core engine, enabling arbitrary file write via path traversal. An attacker can use traversal sequences (e.g., ../) to overwrite files the build process can acces...