CVE-2026-44728
8.2
CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
Summary
Babel is a compiler for writing next generation JavaScript. From 7.12.0 to before 7.29.4 and 8.0.0-alpha.13, using Babel to compile code that was specifically crafted by an attacker can cause Babel to generate output code that executes arbitrary code. This vulnerability is fixed in 7.29.4 and 8.0.0-alpha.13.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| babel | babel | >= 7.12.0, < 7.29.4 | affected |
| babel | babel | >= 8.0.0-alpha.0, < 8.0.0-alpha.13 | affected |
| @babel | plugin-transform-modules-systemjs | >= 7.12.0, < 7.29.4 | affected |
| @babel | plugin-transform-modules-systemjs | >= 8.0.0-alpha.0, < 8.0.0-alpha.13 | affected |
Weaknesses
- CWE-94: CWE-94: Improper Control of Generation of Code ('Code Injection')
- CWE-843: CWE-843: Access of Resource Using Incompatible Type ('Type Confusion')
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: total
References
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.