CVE-2026-44728

Summary

Babel is a compiler for writing next generation JavaScript. From 7.12.0 to before 7.29.4 and 8.0.0-alpha.13, using Babel to compile code that was specifically crafted by an attacker can cause Babel to generate output code that executes arbitrary code. This vulnerability is fixed in 7.29.4 and 8.0.0-alpha.13.

Affected Software

VendorProductVersion RangeStatus
babelbabel>= 7.12.0, < 7.29.4affected
babelbabel>= 8.0.0-alpha.0, < 8.0.0-alpha.13affected
@babelplugin-transform-modules-systemjs>= 7.12.0, < 7.29.4affected
@babelplugin-transform-modules-systemjs>= 8.0.0-alpha.0, < 8.0.0-alpha.13affected

Weaknesses

  • CWE-94: CWE-94: Improper Control of Generation of Code ('Code Injection')
  • CWE-843: CWE-843: Access of Resource Using Incompatible Type ('Type Confusion')

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: total

References