CVE-2026-49356

CVSS v3.1

3.2

Low

Vector

AV:L/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:N

Name of the Vulnerable Software and Affected Versions @babel/core versions prior to 7.29.6 @babel/core versions prior to 8.0.0-rc.6

Description Compiling maliciously crafted code using @babel/core can allow an attacker to read any source map from the system. This occurs when the attacker controls the input source code, can read the output source code, and knows the path of the target source map file.

Recommendations Update to version 7.29.6 or later. Update to version 8.0.0-rc.6 or later. Set inputSourceMap to false in the Babel options. Manually extract the #sourceMappingURL comment from the input source code to validate if the linked source map is allowed to be read, passing an object to inputSourceMap only if validated, otherwise passing false.

Fix

Information Disclosure

Path traversal

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-200CWE-22

Related Identifiers

CVE-2026-49356

GHSA-4X5R-PXFX-6JF8

Affected Products

@Babel/Core

CVE-2026-49356

Weakness Enumeration

Related Identifiers

Affected Products

References · 5