CVE-2026-44728

Name of the Vulnerable Software and Affected Versions Babel versions 7.12.0 through 7.29.3 Babel versions 8.0.0-alpha.1 through 8.0.0-alpha.12

Description Compiling code specifically crafted by an attacker can cause the generation of output code that executes arbitrary code. This issue affects the @babel/plugin-transform-modules-systemjs plugin and @babel/preset-env when the modules: "systemjs" option is used, as it delegates to the affected plugin. Users who only compile trusted code are not impacted.

Recommendations Update to version 7.29.4 or 8.0.0-alpha.13. Update @babel/preset-env to version 7.29.5. As a temporary workaround, pin @babel/parser to v7.11.5, though this may disable new language features and cause build pipeline failures. Avoid using the modules: "systemjs" option and migrate the codebase to native ES Modules or other module formats.