Build Pipeline Halts Plausible Analytics Fork v3.2.0 Over Critical Vulnerabilities Including Rollup RCE Risk

A Docker image build for the self-hosted Plausible Analytics fork maintained by TheKroll Ltd was blocked from deployment after automated security scanning revealed six unpatched vulnerabilities, according to build pipeline records. The image, tagged v3.2.0 and hosted at ghcr.io/thekroll-ltd/plausible, failed a Trivy vulnerability scan and was not pushed to the target registry. The findings include multiple HIGH-severity CVEs affecting transitive dependencies in the application's build stack.

The most serious exposure identified is CVE-2026-27606, a remote code execution vulnerability in Rollup versions 4.41.1 and earlier stemming from a path traversal flaw. Additional HIGH-severity issues were found in the @remix-run/router package (CVE-2026-22029, cross-site scripting via open redirects) and two Denial of Service vulnerabilities in the minimatch glob matching library (CVE-2026-26996 and CVE-2026-27903, both affecting version 3.1.2). The scan classified the overall risk as CRITICAL and HIGH, prompting the automated gate to prevent deployment.

The blocked image was built using an overridden Dockerfile sourced from the upstream plausible/analytics project. Organizations running self-hosted instances of this fork may face pressure to audit their current deployments and verify whether patched versions of affected packages have been applied through dependency updates or base image refreshes. The incident underscores risks inherent in pre-built container images where transitive dependencies are not always immediately visible to operators.