Search

Find a vulnerability

Search criteria

    2 vulnerabilities by @babel

    CVE-2026-44728 (GCVE-0-2026-44728)

    Vulnerability from nvd – Published: 2026-05-26 17:48 – Updated: 2026-05-28 03:55
    VLAI
    Title
    Improper Control of Generation of Code when compiling specifically crafted malicious code with @babel/plugin-transform-modules-systemjs
    Summary
    Babel is a compiler for writing next generation JavaScript. From 7.12.0 to before 7.29.4 and 8.0.0-alpha.13, using Babel to compile code that was specifically crafted by an attacker can cause Babel to generate output code that executes arbitrary code. This vulnerability is fixed in 7.29.4 and 8.0.0-alpha.13.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-94 - Improper Control of Generation of Code ('Code Injection')
    • CWE-843 - Access of Resource Using Incompatible Type ('Type Confusion')
    Assigner
    References
    Impacted products
    Vendor Product Version
    babel babel Affected: >= 7.12.0, < 7.29.4
    Affected: >= 8.0.0-alpha.0, < 8.0.0-alpha.13
    Create a notification for this product.
    @babel plugin-transform-modules-systemjs Affected: >= 7.12.0, < 7.29.4
    Affected: >= 8.0.0-alpha.0, < 8.0.0-alpha.13
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-44728",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-05-27T00:00:00+00:00",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-28T03:55:38.825Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "babel",
              "vendor": "babel",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 7.12.0, \u003c 7.29.4"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 8.0.0-alpha.0, \u003c 8.0.0-alpha.13"
                }
              ]
            },
            {
              "product": "plugin-transform-modules-systemjs",
              "vendor": "@babel",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 7.12.0, \u003c 7.29.4"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 8.0.0-alpha.0, \u003c 8.0.0-alpha.13"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Babel is a compiler for writing next generation JavaScript. From 7.12.0 to before 7.29.4 and 8.0.0-alpha.13, using Babel to compile code that was specifically crafted by an attacker can cause Babel to generate output code that executes arbitrary code. This vulnerability is fixed in 7.29.4 and 8.0.0-alpha.13."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "LOCAL",
                "availabilityImpact": "HIGH",
                "baseScore": 8.2,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "CHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-94",
                  "description": "CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-843",
                  "description": "CWE-843: Access of Resource Using Incompatible Type (\u0027Type Confusion\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-05-26T17:48:57.603Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/babel/babel/security/advisories/GHSA-fv7c-fp4j-7gwp",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/babel/babel/security/advisories/GHSA-fv7c-fp4j-7gwp"
            }
          ],
          "source": {
            "advisory": "GHSA-fv7c-fp4j-7gwp",
            "discovery": "UNKNOWN"
          },
          "title": "Improper Control of Generation of Code when compiling specifically crafted malicious code with @babel/plugin-transform-modules-systemjs"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-44728",
        "datePublished": "2026-05-26T17:48:57.603Z",
        "dateReserved": "2026-05-07T18:04:17.309Z",
        "dateUpdated": "2026-05-28T03:55:38.825Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-44728 (GCVE-0-2026-44728)

    Vulnerability from cvelistv5 – Published: 2026-05-26 17:48 – Updated: 2026-05-28 03:55
    VLAI
    Title
    Improper Control of Generation of Code when compiling specifically crafted malicious code with @babel/plugin-transform-modules-systemjs
    Summary
    Babel is a compiler for writing next generation JavaScript. From 7.12.0 to before 7.29.4 and 8.0.0-alpha.13, using Babel to compile code that was specifically crafted by an attacker can cause Babel to generate output code that executes arbitrary code. This vulnerability is fixed in 7.29.4 and 8.0.0-alpha.13.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-94 - Improper Control of Generation of Code ('Code Injection')
    • CWE-843 - Access of Resource Using Incompatible Type ('Type Confusion')
    Assigner
    References
    Impacted products
    Vendor Product Version
    babel babel Affected: >= 7.12.0, < 7.29.4
    Affected: >= 8.0.0-alpha.0, < 8.0.0-alpha.13
    Create a notification for this product.
    @babel plugin-transform-modules-systemjs Affected: >= 7.12.0, < 7.29.4
    Affected: >= 8.0.0-alpha.0, < 8.0.0-alpha.13
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-44728",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-05-27T00:00:00+00:00",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-28T03:55:38.825Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "babel",
              "vendor": "babel",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 7.12.0, \u003c 7.29.4"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 8.0.0-alpha.0, \u003c 8.0.0-alpha.13"
                }
              ]
            },
            {
              "product": "plugin-transform-modules-systemjs",
              "vendor": "@babel",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 7.12.0, \u003c 7.29.4"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 8.0.0-alpha.0, \u003c 8.0.0-alpha.13"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Babel is a compiler for writing next generation JavaScript. From 7.12.0 to before 7.29.4 and 8.0.0-alpha.13, using Babel to compile code that was specifically crafted by an attacker can cause Babel to generate output code that executes arbitrary code. This vulnerability is fixed in 7.29.4 and 8.0.0-alpha.13."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "LOCAL",
                "availabilityImpact": "HIGH",
                "baseScore": 8.2,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "CHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-94",
                  "description": "CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-843",
                  "description": "CWE-843: Access of Resource Using Incompatible Type (\u0027Type Confusion\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-05-26T17:48:57.603Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/babel/babel/security/advisories/GHSA-fv7c-fp4j-7gwp",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/babel/babel/security/advisories/GHSA-fv7c-fp4j-7gwp"
            }
          ],
          "source": {
            "advisory": "GHSA-fv7c-fp4j-7gwp",
            "discovery": "UNKNOWN"
          },
          "title": "Improper Control of Generation of Code when compiling specifically crafted malicious code with @babel/plugin-transform-modules-systemjs"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-44728",
        "datePublished": "2026-05-26T17:48:57.603Z",
        "dateReserved": "2026-05-07T18:04:17.309Z",
        "dateUpdated": "2026-05-28T03:55:38.825Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }