CVE-2026-44728
Analyzed Analyzed - Analysis Complete
Babel Compiler Code Execution Vulnerability

Publication date: 2026-05-26

Last updated on: 2026-05-27

Assigner: GitHub, Inc.

Description
Babel is a compiler for writing next generation JavaScript. From 7.12.0 to before 7.29.4 and 8.0.0-alpha.13, using Babel to compile code that was specifically crafted by an attacker can cause Babel to generate output code that executes arbitrary code. This vulnerability is fixed in 7.29.4 and 8.0.0-alpha.13.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-26
Last Modified
2026-05-27
Generated
2026-06-16
AI Q&A
2026-05-26
EPSS Evaluated
2026-06-14
NVD
CVE-2026-44728
EUVD
EUVD-2026-31946
Affected Vendors & Products
Showing 14 associated CPEs
Vendor Product Version / Range
babel babel From 7.12.0 (inc) to 7.29.4 (exc)
babel babel 8.0.0
babel babel 8.0.0
babel babel 8.0.0
babel babel 8.0.0
babel babel 8.0.0
babel babel 8.0.0
babel babel 8.0.0
babel babel 8.0.0
babel babel 8.0.0
babel babel 8.0.0
babel babel 8.0.0
babel babel 8.0.0
babel babel 8.0.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
CWE-843 The product allocates or initializes a resource such as a pointer, object, or variable using one type, but it later accesses that resource using a type that is incompatible with the original type.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-44728 is a vulnerability in the @babel/plugin-transform-modules-systemjs npm package, affecting versions 7.12.0 through 7.29.3 and 8.0.0-alpha.0 through 8.0.0-alpha.12.

The issue allows attackers to craft malicious code that, when compiled with Babel using the "systemjs" module option, causes Babel to generate output code that executes arbitrary code.

This vulnerability specifically impacts @babel/plugin-transform-modules-systemjs and @babel/preset-env when the "systemjs" module option is used, as the latter relies on the former plugin.

Users compiling only trusted code are not affected. The flaw involves code injection (CWE-94) and type confusion (CWE-843).

Impact Analysis

This vulnerability can lead to the execution of arbitrary code generated by Babel when compiling attacker-crafted code.

The potential impacts include compromise of confidentiality, integrity, and availability of the affected system.

Because the vulnerability has a high severity score of 8.2 (CVSS v3), it poses a significant risk if exploited.

Detection Guidance

This vulnerability affects specific versions of the @babel/plugin-transform-modules-systemjs and @babel/preset-env packages when using the "systemjs" module option. Detection involves identifying if your project uses these packages in vulnerable versions.

You can check the installed versions of these packages in your project by running the following commands in your project directory:

  • npm list @babel/plugin-transform-modules-systemjs
  • npm list @babel/preset-env

If the versions fall within 7.12.0 through 7.29.3 for @babel/plugin-transform-modules-systemjs or before 7.29.5 for @babel/preset-env, your system is vulnerable.

Additionally, review your Babel configuration files (e.g., babel.config.js or .babelrc) to check if the "systemjs" module option is enabled, as the vulnerability is triggered when compiling code with this option.

Mitigation Strategies

To mitigate this vulnerability, immediately upgrade the affected packages to patched versions:

  • Upgrade @babel/plugin-transform-modules-systemjs to version 7.29.4 or later.
  • Upgrade @babel/preset-env to version 7.29.5 or later.

If upgrading is not immediately possible, consider the following workarounds:

  • Pin @babel/parser to version 7.11.5.
  • Avoid using the "systemjs" module option in your Babel configuration.

Also, ensure that you only compile trusted code, as the vulnerability is exploited by specially crafted malicious code.

Compliance Impact

The vulnerability allows attackers to execute arbitrary code through specially crafted input compiled by Babel, potentially impacting confidentiality, integrity, and availability of systems using affected versions.

Such impacts on confidentiality and integrity could lead to non-compliance with standards and regulations like GDPR and HIPAA, which require protection of sensitive data and system integrity.

However, the vulnerability only affects users compiling untrusted code with the 'systemjs' module option, so environments that do not compile untrusted code or have applied patches are not affected.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-44728. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart