Improper Control of Generation of Code when compiling specifically crafted...

8.2 / 10

HIGH

CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H

Description

Babel is a compiler for writing next generation JavaScript. From 7.12.0 to before 7.29.4 and 8.0.0-alpha.13, using Babel to compile code that was specifically crafted by an attacker can cause Babel to generate output code that executes arbitrary code. This vulnerability is fixed in 7.29.4 and 8.0.0-alpha.13.

Basic Information

ID CVE-2026-44728

Source GitHub_M

Published May 26, 2026 at 17:48

Affected Product

Vendor babel

Product babel

Version >= 7.12.0, < 7.29.4

Affected Versions babel babel >= 7.12.0, < 7.29.4
babel babel >= 8.0.0-alpha.0, < 8.0.0-alpha.13
@babel plugin-transform-modules-systemjs >= 7.12.0, < 7.29.4
@babel plugin-transform-modules-systemjs >= 8.0.0-alpha.0, < 8.0.0-alpha.13

CWE Classification

CWE-94 CWE-843

References

github.com /babel/babel/security/advisories/GHSA-fv7c-fp4j-7gwp

{
    "lastseen": "",
    "description": "Babel is a compiler for writing next generation JavaScript. From 7.12.0 to before 7.29.4 and 8.0.0-alpha.13, using Babel to compile code that was specifically crafted by an attacker can cause Babel to generate output code that executes arbitrary code. This vulnerability is fixed in 7.29.4 and 8.0.0-alpha.13.",
    "published": "2026-05-26T17:48:57.603Z",
    "modified": "2026-05-26T17:48:57.603Z",
    "type": "cve",
    "title": "Improper Control of Generation of Code when compiling specifically crafted malicious code with @babel/plugin-transform-modules-systemjs",
    "source": "GitHub_M",
    "references": "https://github.com/babel/babel/security/advisories/GHSA-fv7c-fp4j-7gwp",
    "id": "CVE-2026-44728",
    "bulletinFamily": "",
    "cwe": [
        "CWE-94",
        "CWE-843"
    ],
    "cvelist": null,
    "sourceData": "babel babel >= 7.12.0, < 7.29.4\nbabel babel >= 8.0.0-alpha.0, < 8.0.0-alpha.13\n@babel plugin-transform-modules-systemjs >= 7.12.0, < 7.29.4\n@babel plugin-transform-modules-systemjs >= 8.0.0-alpha.0, < 8.0.0-alpha.13",
    "sourceHref": "",
    "cvss": {
        "score": 8.2,
        "severity": "HIGH",
        "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "babel",
    "version": ">= 7.12.0, < 7.29.4",
    "vendor": "babel",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Improper Control of Generation of Code when compiling specifically crafted malicious code with @babel/plugin-transform-modules-systemjs_CVE-2026-44728