CVE-2026-44728: Improper Control of Generation of Code when compiling specifically crafted malicious code with @babel/plugin-transform-modules-systemjs

Published May 8, 2026
·
Updated

Impact

Using Babel to compile code that was specifically crafted by an attacker can cause Babel to generate output code that executes arbitrary code.

Known affected plugins are: - @babel/plugin-transform-modules-systemjs - @babel/preset-env when using the modules: "systemjs" option, as it delegates to @babel/plugin-transform-modules-systemjs

No other plugins under the @babel namespace are impacted.

Users that only compile trusted code are not impacted.

Patches

The vulnerability has been fixed in @babel/plugin-transform-modules-systemjs@7.29.4.

Babel also released @babel/preset-env@7.29.5, updating its @babel/plugin-transform-modules-systemjs dependency, to simplify forcing the update if you are using @babel/preset-env directly.

Workarounds

- Pin @babel/parser to v7.11.5. The downgrade will completely disable string module name parsing, but it would also disable other new language features and the build pipeline may fail as a result. Only do so if you are working on a legacy codebase and can not upgrade @babel/plugin-transform-modules-systemjs to v7.29.4. - Do not use the modules: "systemjs" option, migrate the codebase to native ES Modules or any other module formats.

Credits Babel thanks Daniel Cervera for reporting the vulnerability.

Other sources

Babel is a compiler for writing next generation JavaScript. From 7.12.0 to before 7.29.4 and 8.0.0-alpha.13, using Babel to compile code that was specifically crafted by an attacker can cause Babel to generate output code that executes arbitrary code. This vulnerability is fixed in 7.29.4 and 8.0.0-alpha.13.

MITRE

Affected Software

16 affected componentsFixes available
npm/@babel/plugin-transform-modules-systemjs>=8.0.0-alpha.0<=8.0.0-alpha.12
8.0.0-alpha.13
npm/@babel/plugin-transform-modules-systemjs>=7.12.0<=7.29.3
7.29.4
Babel Babel>=7.12.0<7.29.4
Babel Babel=8.0.0-alpha0
Babel Babel=8.0.0-alpha1
Babel Babel=8.0.0-alpha10
Babel Babel=8.0.0-alpha11
Babel Babel=8.0.0-alpha12
Babel Babel=8.0.0-alpha2
Babel Babel=8.0.0-alpha3
Babel Babel=8.0.0-alpha4
Babel Babel=8.0.0-alpha5
Babel Babel=8.0.0-alpha6
Babel Babel=8.0.0-alpha7
Babel Babel=8.0.0-alpha8
Babel Babel=8.0.0-alpha9

Event History

May 8, 2026
Advisory Published
via GitHub·08:34 PM
Data Sourced
via GitHub·08:34 PM
DescriptionSeverityWeaknessAffected Software
May 26, 2026
CVE Published
via MITRE·05:48 PM
Data Sourced
via MITRE·05:48 PM
DescriptionSeverityWeakness
Data Sourced
via NVD·06:16 PM
DescriptionSeverityWeaknessAffected Software
Free Weekly Intel

Don't miss critical vulnerabilities

Join thousands of security professionals who receive our weekly digest of trending CVEs, zero-days, and exploited vulnerabilities.

No spam. Unsubscribe anytime.

Frequently Asked Questions

1

What is the severity of CVE-2026-44728?

CVE-2026-44728 has a high severity due to the potential for arbitrary code execution when using vulnerable Babel plugins.

2

How do I fix CVE-2026-44728?

To fix CVE-2026-44728, update to version 8.0.0-alpha.13 or 7.29.4 of the affected Babel plugins.

3

What are the affected plugins in CVE-2026-44728?

The affected plugins in CVE-2026-44728 are @babel/plugin-transform-modules-systemjs and @babel/preset-env with certain configurations.

4

What could happen if I don't address CVE-2026-44728?

If CVE-2026-44728 is not addressed, attackers could exploit the vulnerability to execute arbitrary code in your application.

5

Is CVE-2026-44728 a known issue in Babel?

Yes, CVE-2026-44728 is a known security vulnerability that has been identified and documented in Babel's security advisories.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2026 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203