Arbitrary File Read Vulnerability in Babel Compiler for JavaScript
CVE-2026-49356

3.2LOW

Key Information:

Vendor: Babel
Status: Babel
Vendor: CVE Published:; 22 June 2026

What is CVE-2026-49356?

An arbitrary file read vulnerability exists in the Babel compiler for JavaScript through the @babel/core package. This issue allows attackers to exploit crafted input that includes a sourceMappingURL comment to gain access to any source map file on the system running Babel. If an attacker can control the input code, they can leverage this vulnerability to read the output source code and access sensitive files, specifically the source maps, based on the known file path. The vulnerability has been addressed in versions 8.0.0-rc.6 and 7.29.6, emphasizing the necessity of timely updates for users of the Babel compiler.

Affected Version(s)

babel >= 8.0.0-alpha.0, < 8.0.0-rc.5 < 8.0.0-alpha.0, 8.0.0-rc.5

babel < 7.29.6 < 7.29.6

References

https://github.com/babel/babel/security/advisories/GHSA-4...

x_refsource_CONFIRM

CVSS V3.1

Score:

3.2

Severity:

LOW

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Local

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 22, 2026
Vulnerability Reserved
May 29, 2026

CVE-2026-49356 Data

JSON