Search for packages
| purl | pkg:npm/rollup@2.0.5 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-8rvq-3hxb-7fgg
Aliases: CVE-2024-47068 GHSA-gcx4-mw62-g8wm |
Rollup is a module bundler for JavaScript. Versions prior to 2.79.2, 3.29.5, and 4.22.4 are susceptible to a DOM Clobbering vulnerability when bundling scripts with properties from `import.meta` (e.g., `import.meta.url`) in `cjs`/`umd`/`iife` format. The DOM Clobbering gadget can lead to cross-site scripting (XSS) in web pages where scriptless attacker-controlled HTML elements (e.g., an `img` tag with an unsanitized `name` attribute) are present. Versions 2.79.2, 3.29.5, and 4.22.4 contain a patch for the vulnerability. |
Affected by 1 other vulnerability. Affected by 0 other vulnerabilities. Affected by 1 other vulnerability. Affected by 1 other vulnerability. |
|
VCID-qw8m-bwpf-3qh9
Aliases: CVE-2026-27606 GHSA-mw96-cpmx-2vgc |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||
| Date | Actor | Action | Vulnerability | Source | VulnerableCode Version |
|---|---|---|---|---|---|
| 2026-06-12T21:08:41.704402+00:00 | GitLab Importer | Affected by | VCID-qw8m-bwpf-3qh9 | https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/rollup/CVE-2026-27606.yml | 38.6.0 |
| 2026-06-12T19:41:01.660912+00:00 | GitLab Importer | Affected by | VCID-8rvq-3hxb-7fgg | https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/rollup/CVE-2024-47068.yml | 38.6.0 |