CVE-2026-44728

HIGH

Improper Control of Generation of Code when compiling specifically crafted malicious code with @babel/plugin-transform-modules-systemjs

Title source: cna

Description

Babel is a compiler for writing next generation JavaScript. From 7.12.0 to before 7.29.4 and 8.0.0-alpha.13, using Babel to compile code that was specifically crafted by an attacker can cause Babel to generate output code that executes arbitrary code. This vulnerability is fixed in 7.29.4 and 8.0.0-alpha.13.

References (1)

Core 1

Core References

X_Refsource_Confirm x_refsource_confirm

https://github.com/babel/babel/security/advisories/GHSA-fv7c-fp4j-7gwp

Scores

CVSS v3 8.2

EPSS 0.0013

EPSS Percentile 2.5%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-843 CWE-94

Status published

Products (8)

@babel/plugin-transform-modules-systemjs >= 7.12.0, < 7.29.4

@babel/plugin-transform-modules-systemjs >= 8.0.0-alpha.0, < 8.0.0-alpha.13

babel/babel 8.0.0 alpha0 (13 CPE variants)

babel/babel 7.12.0 - 7.29.4

babel/babel >= 7.12.0, < 7.29.4

babel/babel >= 8.0.0-alpha.0, < 8.0.0-alpha.13

babel/plugin-transform-modules-systemjs 7.12.0 - 7.29.4npm

babel/plugin-transform-modules-systemjs 8.0.0-alpha.0 - 8.0.0-alpha.13npm

Published May 26, 2026

Tracked Since May 26, 2026