What is the CVSS score of CVE-2026-27606?

CVE-2026-27606 has a CVSS 3.1 base score of 9.8 (Critical). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. EPSS exploitation probability: 0.6%.

Which versions of Rollup are affected by CVE-2026-27606?

Rollup module bundler versions prior to 2.80.0, 3.30.0, and 4.59.0 contain a critical vulnerability allowing arbitrary file writes through path traversal attacks.. A patch is available.

Is there a public PoC exploit available for CVE-2026-27606?

Yes, a public proof-of-concept exploit is available for CVE-2026-27606. Prioritise patching immediately. EPSS: 0.6%.

How to fix or mitigate CVE-2026-27606?

Within 24 hours: Identify all internal and third-party applications using Rollup and document their versions. Within 7 days: Upgrade all instances to patched versions (2.80.0+, 3.30.0+, or 4.59.0+) and validate build integrity. Within 30 days: Conduct code review of recent builds to confirm no malicious artifacts were introduced, and implement supply chain controls to prevent unpatched dependency usage.

Rollup CVE-2026-27606

CRITICAL

Path Traversal (CWE-22)

2026-02-25 security-advisories@github.com

GHSA-mw96-cpmx-2vgc

RCE Path Traversal Rollup Red Hat Suse

9.8

CVSS 3.1 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY

9.8 CRITICAL

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

SUSE

CRITICAL

qualitative

Red Hat

9.1 HIGH

qualitative

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Generated

Mar 12, 2026 - 21:55 vuln.today

PoC Detected

Feb 25, 2026 - 16:05 vuln.today

Public exploit code

Patch released

Feb 25, 2026 - 16:05 nvd

Patch available

CVE Published

Feb 25, 2026 - 03:16 nvd

CRITICAL 9.8

Blast Radius

ecosystem impact

† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth

1 npm packages depend on rollup (1 direct, 0 indirect)

Ecosystem-wide dependent count for version 3.0.0.

DescriptionGitHub Advisory

Rollup is a module bundler for JavaScript. Versions prior to 2.80.0, 3.30.0, and 4.59.0 of the Rollup module bundler (specifically v4.x and present in current source) is vulnerable to an Arbitrary File Write via Path Traversal. Insecure file name sanitization in the core engine allows an attacker to control output filenames (e.g., via CLI named inputs, manual chunk aliases, or malicious plugins) and use traversal sequences (../) to overwrite files anywhere on the host filesystem that the build process has permissions for. This can lead to persistent Remote Code Execution (RCE) by overwriting critical system or user configuration files. Versions 2.80.0, 3.30.0, and 4.59.0 contain a patch for the issue.

AnalysisAI

Path traversal in Rollup JavaScript module bundler before 2.80.0/3.30.0/4.59.0 allows reading arbitrary files on the build server during bundling. PoC and patch available.

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access

Provide malicious input via CLI or plugin

Exploit

Path traversal sequences bypass filename sanitization

Execution

Arbitrary file written outside intended directory

Impact

Overwrite critical files for RCE

Access

Provide malicious input via CLI or plugin

Exploit

Path traversal sequences bypass filename sanitization

Execution

Arbitrary file written outside intended directory

Impact

Overwrite critical files for RCE

Vulnerability AssessmentAI

Exploitation	Attacker can control Rollup build inputs (CLI arguments, chunk aliases, or malicious plugins) AND the build process runs with filesystem write permissions to target files. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment	CVSS 9.8, EPSS 0.62%. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	Malicious npm dependency uses crafted imports that trigger Rollup's path traversal, reading .env files, SSH keys, or CI secrets during build and including them in output.
Remediation	Update Rollup to 2.80.0+, 3.30.0+, or 4.59.0+. Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify all internal and third-party applications using Rollup and document their versions. …

Threat intelligence, references, and detailed analysis are available after sign-in.

Vendor StatusVendor

SUSE

Severity: Critical

Product	Status
Container suse/manager/5.0/x86_64/server:latest	Affected
SUSE Linux Enterprise Module for Package Hub 15 SP7	Fixed
SUSE Manager Client Tools 15	Fixed
SUSE Manager Client Tools for SLE Micro 5	Fixed
SUSE Manager Proxy LTS 4.3	Fixed

CVE-2026-27606 vulnerability details – vuln.today

Back

Rollup CVE-2026-27606

Severity by source

CVSS VectorGitHub Advisory

Lifecycle Timeline

Blast Radius

DescriptionGitHub Advisory

AnalysisAI

Unlock full vulnerability intelligence

Attack ChainAIDerived

Vulnerability AssessmentAI

Recommended ActionAI

Vendor StatusVendor

SUSE

Share

External POC / Exploit Code