CVE-2026-44728

8.2 HIGH

Babel is a compiler for writing next generation JavaScript

Published: 2026-05-26 · Last updated: 2026-05-27

Severity and scoring

CVSS: 8.2 HIGH
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
CWE: CWE-843, CWE-94

Affected products

Vendor	Product
babel	babel

Description

Babel is a compiler for writing next generation JavaScript. From 7.12.0 to before 7.29.4 and 8.0.0-alpha.13, using Babel to compile code that was specifically crafted by an attacker can cause Babel to generate output code that executes arbitrary code. This vulnerability is fixed in 7.29.4 and 8.0.0-alpha.13.

Source: NVD

References

[NVD]https://nvd.nist.gov/vuln/detail/CVE-2026-44728
[Vendor advisory]https://github.com/babel/babel/security/advisories/GHSA-fv7c-fp4j-7gwp

Related CVEs

Same CWE

CVE-2026-24155 — NVIDIA NeMo Framework for all platforms contains a code injection vulnerability (7.8 HIGH)
CVE-2026-12299 — JIT miscompilation in the DOM: Core & HTML component (5.4 MEDIUM)
CVE-2026-49774 — Improper Control of Generation of Code ('Code Injection') vulnerability in Filipe Nasc RD Station allows Remote Code Inclusion (9.9 CRITICAL)
CVE-2026-48017 — DbGate is cross-platform database manager (8.8 HIGH)
CVE-2026-48836 — Unauthenticated Remote Code Execution (RCE) in Easy Invoice <= 2.1.19 versions (10.0 CRITICAL)