Arbitrary Code Execution Vulnerability in Babel Compiler by Babel
CVE-2026-44728

8.2HIGH

Key Information:

Vendor: Babel
Status: Babel; Plugin-transform-modules-systemjs
Vendor: CVE Published:; 26 May 2026

What is CVE-2026-44728?

The Babel compiler, used for writing next-generation JavaScript, contains a vulnerability that allows attackers to craft specific inputs to generate output code capable of executing arbitrary code. This flaw affects versions from 7.12.0 up to but not including 7.29.4, as well as the pre-release versions up to 8.0.0-alpha.12. Users are encouraged to upgrade to versions 7.29.4 or 8.0.0-alpha.13 to mitigate this security risk.

Affected Version(s)

babel >= 7.12.0, < 7.29.4 < 7.12.0, 7.29.4

babel >= 8.0.0-alpha.0, < 8.0.0-alpha.13 < 8.0.0-alpha.0, 8.0.0-alpha.13

plugin-transform-modules-systemjs >= 7.12.0, < 7.29.4 < 7.12.0, 7.29.4

References

https://github.com/babel/babel/security/advisories/GHSA-f...

x_refsource_CONFIRM

CVSS V3.1

Score:

8.2

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 26, 2026
Vulnerability Reserved
May 7, 2026

CVE-2026-44728 Data

JSON