Search criteria
2 vulnerabilities found for plugin-transform-modules-systemjs by @babel
CVE-2026-44728 (GCVE-0-2026-44728)
Vulnerability from nvd – Published: 2026-05-26 17:48 – Updated: 2026-05-27 13:13
VLAI
Title
Improper Control of Generation of Code when compiling specifically crafted malicious code with @babel/plugin-transform-modules-systemjs
Summary
Babel is a compiler for writing next generation JavaScript. From 7.12.0 to before 7.29.4 and 8.0.0-alpha.13, using Babel to compile code that was specifically crafted by an attacker can cause Babel to generate output code that executes arbitrary code. This vulnerability is fixed in 7.29.4 and 8.0.0-alpha.13.
Severity
8.2 (High)
CWE
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/babel/babel/security/advisorie… | x_refsource_CONFIRM |
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| babel | babel |
Affected:
>= 7.12.0, < 7.29.4
Affected: >= 8.0.0-alpha.0, < 8.0.0-alpha.13 |
|
| @babel | plugin-transform-modules-systemjs |
Affected:
>= 7.12.0, < 7.29.4
Affected: >= 8.0.0-alpha.0, < 8.0.0-alpha.13 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-44728",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-27T13:13:27.431537Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-27T13:13:45.262Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "babel",
"vendor": "babel",
"versions": [
{
"status": "affected",
"version": "\u003e= 7.12.0, \u003c 7.29.4"
},
{
"status": "affected",
"version": "\u003e= 8.0.0-alpha.0, \u003c 8.0.0-alpha.13"
}
]
},
{
"product": "plugin-transform-modules-systemjs",
"vendor": "@babel",
"versions": [
{
"status": "affected",
"version": "\u003e= 7.12.0, \u003c 7.29.4"
},
{
"status": "affected",
"version": "\u003e= 8.0.0-alpha.0, \u003c 8.0.0-alpha.13"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Babel is a compiler for writing next generation JavaScript. From 7.12.0 to before 7.29.4 and 8.0.0-alpha.13, using Babel to compile code that was specifically crafted by an attacker can cause Babel to generate output code that executes arbitrary code. This vulnerability is fixed in 7.29.4 and 8.0.0-alpha.13."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-94",
"description": "CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-843",
"description": "CWE-843: Access of Resource Using Incompatible Type (\u0027Type Confusion\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-26T17:48:57.603Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/babel/babel/security/advisories/GHSA-fv7c-fp4j-7gwp",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/babel/babel/security/advisories/GHSA-fv7c-fp4j-7gwp"
}
],
"source": {
"advisory": "GHSA-fv7c-fp4j-7gwp",
"discovery": "UNKNOWN"
},
"title": "Improper Control of Generation of Code when compiling specifically crafted malicious code with @babel/plugin-transform-modules-systemjs"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-44728",
"datePublished": "2026-05-26T17:48:57.603Z",
"dateReserved": "2026-05-07T18:04:17.309Z",
"dateUpdated": "2026-05-27T13:13:45.262Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-44728 (GCVE-0-2026-44728)
Vulnerability from cvelistv5 – Published: 2026-05-26 17:48 – Updated: 2026-05-27 13:13
VLAI
Title
Improper Control of Generation of Code when compiling specifically crafted malicious code with @babel/plugin-transform-modules-systemjs
Summary
Babel is a compiler for writing next generation JavaScript. From 7.12.0 to before 7.29.4 and 8.0.0-alpha.13, using Babel to compile code that was specifically crafted by an attacker can cause Babel to generate output code that executes arbitrary code. This vulnerability is fixed in 7.29.4 and 8.0.0-alpha.13.
Severity
8.2 (High)
CWE
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/babel/babel/security/advisorie… | x_refsource_CONFIRM |
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| babel | babel |
Affected:
>= 7.12.0, < 7.29.4
Affected: >= 8.0.0-alpha.0, < 8.0.0-alpha.13 |
|
| @babel | plugin-transform-modules-systemjs |
Affected:
>= 7.12.0, < 7.29.4
Affected: >= 8.0.0-alpha.0, < 8.0.0-alpha.13 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-44728",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-27T13:13:27.431537Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-27T13:13:45.262Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "babel",
"vendor": "babel",
"versions": [
{
"status": "affected",
"version": "\u003e= 7.12.0, \u003c 7.29.4"
},
{
"status": "affected",
"version": "\u003e= 8.0.0-alpha.0, \u003c 8.0.0-alpha.13"
}
]
},
{
"product": "plugin-transform-modules-systemjs",
"vendor": "@babel",
"versions": [
{
"status": "affected",
"version": "\u003e= 7.12.0, \u003c 7.29.4"
},
{
"status": "affected",
"version": "\u003e= 8.0.0-alpha.0, \u003c 8.0.0-alpha.13"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Babel is a compiler for writing next generation JavaScript. From 7.12.0 to before 7.29.4 and 8.0.0-alpha.13, using Babel to compile code that was specifically crafted by an attacker can cause Babel to generate output code that executes arbitrary code. This vulnerability is fixed in 7.29.4 and 8.0.0-alpha.13."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-94",
"description": "CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-843",
"description": "CWE-843: Access of Resource Using Incompatible Type (\u0027Type Confusion\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-26T17:48:57.603Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/babel/babel/security/advisories/GHSA-fv7c-fp4j-7gwp",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/babel/babel/security/advisories/GHSA-fv7c-fp4j-7gwp"
}
],
"source": {
"advisory": "GHSA-fv7c-fp4j-7gwp",
"discovery": "UNKNOWN"
},
"title": "Improper Control of Generation of Code when compiling specifically crafted malicious code with @babel/plugin-transform-modules-systemjs"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-44728",
"datePublished": "2026-05-26T17:48:57.603Z",
"dateReserved": "2026-05-07T18:04:17.309Z",
"dateUpdated": "2026-05-27T13:13:45.262Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}