{"id":"CVE-2026-44728","summary":"Improper Control of Generation of Code when compiling specifically crafted malicious code with @babel/plugin-transform-modules-systemjs","details":"Babel is a compiler for writing next generation JavaScript. From 7.12.0 to before 7.29.4 and 8.0.0-alpha.13, using Babel to compile code that was specifically crafted by an attacker can cause Babel to generate output code that executes arbitrary code. This vulnerability is fixed in 7.29.4 and 8.0.0-alpha.13.","aliases":["GHSA-fv7c-fp4j-7gwp"],"modified":"2026-07-08T08:13:29.215376965Z","published":"2026-05-26T17:48:57.603Z","related":["CGA-xr5x-4678-qpm8"],"database_specific":{"cna_assigner":"GitHub_M","cwe_ids":["CWE-843","CWE-94"],"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/44xxx/CVE-2026-44728.json"},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/44xxx/CVE-2026-44728.json"},{"type":"ADVISORY","url":"https://github.com/babel/babel/security/advisories/GHSA-fv7c-fp4j-7gwp"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-44728"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/babel/babel","events":[{"introduced":"726154c78e2e7d9822e835c7e9ee6199bc3800d8"},{"fixed":"a458f66074b97d54773db8159af673d23b26079b"}],"database_specific":{"extracted_events":[{"introduced":"7.12.0"},{"fixed":"7.29.4"}],"cpe":"cpe:2.3:a:babel:babel:*:*:*:*:*:*:*:*","source":"CPE_RANGE"}}],"versions":["v7.29.3","v7.29.2","v7.29.1","v7.29.0","v7.28.6","v7.28.5","v8.0.0-beta.3","v8.0.0-beta.2","v7.28.4","v7.28.3","v7.28.2","v7.28.1","v8.0.0-beta.1","v7.28.0","v7.27.7","v7.27.6","v7.27.5","v8.0.0-beta.0","v7.27.4","v7.27.3","v7.27.2","v7.27.1","v7.27.0","v8.0.0-alpha.17","v7.26.10","v8.0.0-alpha.16","v7.26.9","v7.26.8","v7.26.7","v7.26.6","v8.0.0-alpha.15","v7.26.5","v8.0.0-alpha.14","v7.26.4","v7.26.3","v7.26.2","v7.26.1","v8.0.0-alpha.13","v7.26.0","v7.25.9","v7.25.8","v7.25.7","v7.25.6","v7.25.5","v7.25.4","v7.25.3","v7.25.2","v7.25.1","v8.0.0-alpha.12","v7.25.0","v7.24.10","v7.24.9","v7.24.8","v8.0.0-alpha.11","v7.24.7","v8.0.0-alpha.10","v8.0.0-alpha.9","v7.24.6","v7.24.5","v8.0.0-alpha.8","v7.24.4","v7.24.3","v7.24.2","v7.24.1","v8.0.0-alpha.7","v7.24.0","v7.23.10","v8.0.0-alpha.6","v7.23.9","v7.23.8","v7.23.7","v8.0.0-alpha.5","v7.23.6","v7.23.5","v7.23.4","v7.23.3","v8.0.0-alpha.4","@babel/core@7.23.2","v7.23.2","v8.0.0-alpha.3","v7.23.1","v7.23.0","v7.22.20","v7.22.19","v7.22.18","v7.22.17","v7.22.16","v7.22.15","v7.22.14","v7.22.13","v7.22.12","v7.22.11","v8.0.0-alpha.2","v7.22.10","v8.0.0-alpha.1","v7.22.9","v7.22.8","v7.22.7","v7.22.6","v7.22.5","v7.22.4","v7.22.3","v7.22.2","v7.22.1","v7.22.0","v7.21.9","v7.21.8","v7.21.7","v7.21.6","v7.21.5","v7.21.4","v7.21.3","v7.21.2","v7.21.1","v7.21.0","v7.20.15","v7.20.14","v7.20.13","v7.20.12","v7.20.11","v7.20.10","v7.20.9","v7.20.8","v7.20.7","v7.20.6","v7.20.5","v7.20.4","v7.20.3","v7.20.2","v7.20.1","v7.20.0","v7.19.6","v7.19.5","v7.19.4","v7.19.3","v7.19.2","v7.19.1","v7.19.0","v7.18.13","v7.18.12","v7.18.11","v7.18.10","v7.18.9","v7.18.8","v7.18.7","v7.18.6","v7.18.5","v7.18.4","v7.18.3","v7.18.2","v7.18.1","v7.18.0","v7.17.12","v7.17.11","v7.17.10","v7.17.9","v7.17.8","v7.17.7","v7.17.6","v7.17.5","v7.17.4","v7.17.3","v7.17.2","v7.17.1","v7.17.0","v7.16.12","v7.16.11","v7.16.10","v7.16.9","v7.16.8","v7.16.7","v7.16.6","v7.16.5","v7.16.4","v7.16.3","v7.16.2","v7.16.1","v7.16.0","v7.15.8","v7.15.7","v7.15.6","v7.15.5","v7.15.4","v7.15.3","v7.15.2","v7.15.1","v7.15.0","v7.14.9","v7.14.8","v7.14.7","v7.14.6","v7.14.5","v7.14.4","v7.14.3","v7.14.2","v7.14.1","v7.14.0","v7.13.17","v7.13.16","v7.13.15","v7.13.14","v7.13.13","v7.13.12","v7.13.11","v7.13.10","v7.13.9","v7.13.8","v7.13.7","v7.13.6","v7.13.5","v7.13.4","v7.13.3","v7.13.2","v7.13.1","v7.13.0","v7.12.18","v7.12.17","v7.12.16","v7.12.15","v7.12.14","v7.12.13","v7.12.12","v7.12.11","v7.12.10","v7.12.9","v7.12.8","v7.12.7","v7.12.6","v7.12.5","v7.12.4","v7.12.3","v7.12.2","v7.12.1","v7.12.0"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-44728.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H"}]}