VIR Vulnerability Intelligence Relay

CVE-2026-44728

high
Published 2026-05-26 ยท Modified 2026-05-28
๐Ÿ’ฌ Discuss on Community โœš Propose mitigation
CVSS v3
8.2
CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
CVSS v4 NEW
โ€”
not yet in upstream
VIR risk
8.2

Description

Babel is a compiler for writing next generation JavaScript. From 7.12.0 to before 7.29.4 and 8.0.0-alpha.13, using Babel to compile code that was specifically crafted by an attacker can cause Babel to generate output code that executes arbitrary code. This vulnerability is fixed in 7.29.4 and 8.0.0-alpha.13.

Predictions

Exploit likelihood
78%
Patch ETA
โ€”

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

Mitigation details

Source: Debian Security Tracker ยท View original โ†— ยท DFSG

CVE-2026-44728 NameCVE-2026-44728 DescriptionBabel is a compiler for writing next generation JavaScript. From 7.12.0 to before 7.29.4 and 8.0.0-alpha.13, using Babel to compile code that was specifically crafted by an attacker can cause Babel to generate output code that executes arbitrary code. This vulnerability is fixed in 7.29.4 and 8.0.0-alpha.13. SourceCVE (at NVD; CERT, ENISA, LWN,โ€ฆ

CVE-2026-44728

NameCVE-2026-44728
DescriptionBabel is a compiler for writing next generation JavaScript. From 7.12.0 to before 7.29.4 and 8.0.0-alpha.13, using Babel to compile code that was specifically crafted by an attacker can cause Babel to generate output code that executes arbitrary code. This vulnerability is fixed in 7.29.4 and 8.0.0-alpha.13.
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
node-babel7 (PTS)bullseye (security), bullseye7.12.12+~cs150.141.84-6+deb11u1vulnerable
bookworm7.20.15+ds1+~cs214.269.168-3+deb12u2vulnerable
bookworm (security)7.20.15+ds1+~cs214.269.168-3+deb12u1vulnerable
trixie7.20.15+ds1+~cs214.269.168-8vulnerable
forky, sid7.20.15+ds1+~cs214.269.168-17vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
node-babel7source(unstable)(unfixed)

Notes

https://github.com/babel/babel/security/advisories/GHSA-fv7c-fp4j-7gwp

Home - Debian Security - Source (Git)

Apply commands

text fix
Notes
https://github.com/babel/babel/security/advisories/GHSA-fv7c-fp4j-7gwp

OS impact
debian Debian Affected 5 releases
VersionStatusFixed in
trixie Affected โ€”
sid Affected โ€”
forky Affected โ€”
bullseye Affected โ€”
bookworm Affected โ€”
suse SUSE Affected 1 release
VersionStatusFixed in
โ€” Affected โ€”

Package impact
EcosystemPackageVulnerableFixed
npm npm@babel/plugin-transform-modules-systemjs>=7.12.0,<7.29.47.29.4
npm npm@babel/plugin-transform-modules-systemjs>=8.0.0-alpha.0,<8.0.0-alpha.138.0.0-alpha.13
npm NPM@babel/plugin-transform-modules-systemjs>= 8.0.0-alpha.0, <= 8.0.0-alpha.128.0.0-alpha.13
npm NPM@babel/plugin-transform-modules-systemjs>= 7.12.0, <= 7.29.37.29.4

Application impact
VendorProductVersionsFixed
babelbabel{"startIncluding":"7.12.0","endExcluding":"7.29.4"}7.29.4
babelbabel8.0.0

References

CWEs

CWE-94 CWE-843

Community-verified mitigations for this CVE will appear above when contributors publish them.

Verify integrity in audit chain (admin only). AS-IS.