CVE-2026-44728

HIGH8.2EPSS 0.02%

@babel/plugin-transform-modules-systemjs generates arbitrary code when compiling malicious input

Published: 5/8/2026Modified: 5/22/2026

Also known as:GHSA-fv7c-fp4j-7gwpCGA-xr5x-4678-qpm8DEBIAN-CVE-2026-44728

Description

### Impact Using Babel to compile code that was specifically crafted by an attacker can cause Babel to generate output code that executes arbitrary code. Known affected plugins are: - `@babel/plugin-transform-modules-systemjs` - `@babel/preset-env` when using the [`modules: "systemjs"` option](https://babel.dev/docs/babel-preset-env#modules), as it delegates to `@babel/plugin-transform-modules-systemjs` No other plugins under the `@babel` namespace are impacted. **Users that only compile trusted code are not impacted.** ### Patches The vulnerability has been fixed in `@babel/[email protected]`. Babel also released `@babel/[email protected]`, updating its `@babel/plugin-transform-modules-systemjs` dependency, to simplify forcing the update if you are using `@babel/preset-env` directly. ### Workarounds - Pin `@babel/parser` to v7.11.5. The downgrade will completely disable string module name parsing, but it would also disable other new language features and the build pipeline may fail as a result. Only do so if you are working on a legacy codebase and can not upgrade `@babel/plugin-transform-modules-systemjs` to v7.29.4. - Do not use the `modules: "systemjs"` option, migrate the codebase to native ES Modules or any other module formats. ### Credits Babel thanks Daniel Cervera for reporting the vulnerability.

Affected packages (2)

Debian/node-babel7from 0
npm/@babel/plugin-transform-modules-systemjs>= 7.12.0, < 7.29.4

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH8.2	CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H

Description

Affected packages (2)

CVSS scores

References (3)