CVE-2026-44728

Source
https://cve.org/CVERecord?id=CVE-2026-44728
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-44728.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-44728
Aliases
Downstream
Related
Published
2026-05-26T17:48:57.603Z
Modified
2026-07-08T08:13:29.215376965Z
Severity
  • 8.2 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H CVSS Calculator
Summary
Improper Control of Generation of Code when compiling specifically crafted malicious code with @babel/plugin-transform-modules-systemjs
Details

Babel is a compiler for writing next generation JavaScript. From 7.12.0 to before 7.29.4 and 8.0.0-alpha.13, using Babel to compile code that was specifically crafted by an attacker can cause Babel to generate output code that executes arbitrary code. This vulnerability is fixed in 7.29.4 and 8.0.0-alpha.13.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/44xxx/CVE-2026-44728.json",
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-843",
        "CWE-94"
    ]
}
References

Affected packages

Git / github.com/babel/babel

Affected ranges

Type
GIT
Repo
https://github.com/babel/babel
Events
Database specific
{
    "source": "CPE_RANGE",
    "cpe": "cpe:2.3:a:babel:babel:*:*:*:*:*:*:*:*",
    "extracted_events": [
        {
            "introduced": "7.12.0"
        },
        {
            "fixed": "7.29.4"
        }
    ]
}

Affected versions

@babel/core@7.*
@babel/core@7.23.2
v7.*
v7.12.0
v7.12.1
v7.12.10
v7.12.11
v7.12.12
v7.12.13
v7.12.14
v7.12.15
v7.12.16
v7.12.17
v7.12.18
v7.12.2
v7.12.3
v7.12.4
v7.12.5
v7.12.6
v7.12.7
v7.12.8
v7.12.9
v7.13.0
v7.13.1
v7.13.10
v7.13.11
v7.13.12
v7.13.13
v7.13.14
v7.13.15
v7.13.16
v7.13.17
v7.13.2
v7.13.3
v7.13.4
v7.13.5
v7.13.6
v7.13.7
v7.13.8
v7.13.9
v7.14.0
v7.14.1
v7.14.2
v7.14.3
v7.14.4
v7.14.5
v7.14.6
v7.14.7
v7.14.8
v7.14.9
v7.15.0
v7.15.1
v7.15.2
v7.15.3
v7.15.4
v7.15.5
v7.15.6
v7.15.7
v7.15.8
v7.16.0
v7.16.1
v7.16.10
v7.16.11
v7.16.12
v7.16.2
v7.16.3
v7.16.4
v7.16.5
v7.16.6
v7.16.7
v7.16.8
v7.16.9
v7.17.0
v7.17.1
v7.17.10
v7.17.11
v7.17.12
v7.17.2
v7.17.3
v7.17.4
v7.17.5
v7.17.6
v7.17.7
v7.17.8
v7.17.9
v7.18.0
v7.18.1
v7.18.10
v7.18.11
v7.18.12
v7.18.13
v7.18.2
v7.18.3
v7.18.4
v7.18.5
v7.18.6
v7.18.7
v7.18.8
v7.18.9
v7.19.0
v7.19.1
v7.19.2
v7.19.3
v7.19.4
v7.19.5
v7.19.6
v7.20.0
v7.20.1
v7.20.10
v7.20.11
v7.20.12
v7.20.13
v7.20.14
v7.20.15
v7.20.2
v7.20.3
v7.20.4
v7.20.5
v7.20.6
v7.20.7
v7.20.8
v7.20.9
v7.21.0
v7.21.1
v7.21.2
v7.21.3
v7.21.4
v7.21.5
v7.21.6
v7.21.7
v7.21.8
v7.21.9
v7.22.0
v7.22.1
v7.22.10
v7.22.11
v7.22.12
v7.22.13
v7.22.14
v7.22.15
v7.22.16
v7.22.17
v7.22.18
v7.22.19
v7.22.2
v7.22.20
v7.22.3
v7.22.4
v7.22.5
v7.22.6
v7.22.7
v7.22.8
v7.22.9
v7.23.0
v7.23.1
v7.23.10
v7.23.2
v7.23.3
v7.23.4
v7.23.5
v7.23.6
v7.23.7
v7.23.8
v7.23.9
v7.24.0
v7.24.1
v7.24.10
v7.24.2
v7.24.3
v7.24.4
v7.24.5
v7.24.6
v7.24.7
v7.24.8
v7.24.9
v7.25.0
v7.25.1
v7.25.2
v7.25.3
v7.25.4
v7.25.5
v7.25.6
v7.25.7
v7.25.8
v7.25.9
v7.26.0
v7.26.1
v7.26.10
v7.26.2
v7.26.3
v7.26.4
v7.26.5
v7.26.6
v7.26.7
v7.26.8
v7.26.9
v7.27.0
v7.27.1
v7.27.2
v7.27.3
v7.27.4
v7.27.5
v7.27.6
v7.27.7
v7.28.0
v7.28.1
v7.28.2
v7.28.3
v7.28.4
v7.28.5
v7.28.6
v7.29.0
v7.29.1
v7.29.2
v7.29.3
v8.*
v8.0.0-alpha.1
v8.0.0-alpha.10
v8.0.0-alpha.11
v8.0.0-alpha.12
v8.0.0-alpha.13
v8.0.0-alpha.14
v8.0.0-alpha.15
v8.0.0-alpha.16
v8.0.0-alpha.17
v8.0.0-alpha.2
v8.0.0-alpha.3
v8.0.0-alpha.4
v8.0.0-alpha.5
v8.0.0-alpha.6
v8.0.0-alpha.7
v8.0.0-alpha.8
v8.0.0-alpha.9
v8.0.0-beta.0
v8.0.0-beta.1
v8.0.0-beta.2
v8.0.0-beta.3

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-44728.json"