< Back

CVE-2026-44728

Updated on 08 May 2026

Severity

8.2 High severity

Details

CVSS score: 8.2
CVSS vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE ID: CWE-843 Access of Resource Using Incompatible Type ('Type Confusion')

CWE-94 Improper Control of Generation of Code ('Code Injection')
Affected product
Affected component
Links: NIST CIRCL RHEL Ubuntu

Overview

About vulnerability

Impact

Using Babel to compile code that was specifically crafted by an attacker can cause Babel to generate output code that executes arbitrary code.

Known affected plugins are:

@babel/plugin-transform-modules-systemjs
@babel/preset-env when using the modules: "systemjs" option, as it delegates to @babel/plugin-transform-modules-systemjs

No other plugins under the @babel namespace are impacted.

Users that only compile trusted code are not impacted.

Patches

The vulnerability has been fixed in @babel/[email protected].

Babel also released @babel/[email protected], updating its @babel/plugin-transform-modules-systemjs dependency, to simplify forcing the update if you are using @babel/preset-env directly.

Workarounds

Pin @babel/parser to v7.11.5. The downgrade will completely disable string module name parsing, but it would also disable other new language features and the build pipeline may fail as a result. Only do so if you are working on a legacy codebase and can not upgrade @babel/plugin-transform-modules-systemjs to v7.29.4.
Do not use the modules: "systemjs" option, migrate the codebase to native ES Modules or any other module formats.

Credits

Babel thanks Daniel Cervera for reporting the vulnerability.

Details

Affected product:: Babel , Next.js , Node.js , React , astro , b4a , babel , babel-jest , babel-loader , babel-plugin-codegen , babel-plugin-istanbul , babel-plugin-jsx , babel-plugin-proposal-dynamic-import , babel-plugin-proposal-private-property-in-object , babel-plugin-syntax-dynamic-import , babel-plugin-syntax-object-rest-spread , babel-plugin-transform-block-scoping , babel-plugin-transform-property-literals , babel-plugin-transform-react-jsx , babel-plugin-transform-runtime , babel-plugin-transform-sticky-regex , babel-polyfills , babel-preset-current-node-syntax , babel-preset-expo , babel-preset-flow , babel-sugar-composition-api-render-instance , babel-sugar-v-model , babel-sugar-v-on , bare-fs , bare-stream , bottom-tabs , cli , config-plugins , db0 , devtools , drawer , drizzle-orm , expo , expo-asset , expo-constants , expo-file-system , expo-image , expo-linking , expo-metro , expo-modules-autolinking , expo-modules-jsi , expo-router , expo-sqlite , expo-symbols , expo-widgets , flow , image-utils , istanbuljs , jest , jest-circus , jest-preset , jest-runtime , jest-transform , jscodeshift , jsx , jsx-vue2 , masked-view , metro , metro-runtime , native-stack , nitro , nuxt , op-sqlite , prebuild-config , preset-modules , remix , sharp , storybook , streamx , styled-jsx , tar-fs , tar-stream , teex , text-decoder , unstorage , untyped , vanilla-extract , vector-icons , vite , vite-dev-rpc , vite-hot-client , vite-plugin-checker , vite-plugin-inspect , vite-plugin-vue , vite-plugin-vue-inspector , vite-plugin-vue-tracer , vitefu
Affected packages:: @babel/plugin-transform-modules-systemjs @ 7.29.4 (+870 more)

Impact

Using Babel to compile code that was specifically crafted by an attacker can cause Babel to generate output code that executes arbitrary code.

Known affected plugins are:

@babel/plugin-transform-modules-systemjs
@babel/preset-env when using the modules: "systemjs" option, as it delegates to @babel/plugin-transform-modules-systemjs

No other plugins under the @babel namespace are impacted.

Users that only compile trusted code are not impacted.

Patches

The vulnerability has been fixed in @babel/[email protected].

Babel also released @babel/[email protected], updating its @babel/plugin-transform-modules-systemjs dependency, to simplify forcing the update if you are using @babel/preset-env directly.

Workarounds

Pin @babel/parser to v7.11.5. The downgrade will completely disable string module name parsing, but it would also disable other new language features and the build pipeline may fail as a result. Only do so if you are working on a legacy codebase and can not upgrade @babel/plugin-transform-modules-systemjs to v7.29.4.
Do not use the modules: "systemjs" option, migrate the codebase to native ES Modules or any other module formats.

Credits

Babel thanks Daniel Cervera for reporting the vulnerability.

Release info

Copy page link

Open as a page

Advisory

CLSA-2025:1748945064

Operating system

CentOS 8.4 ELS

Published date

Nov 16, 2014

Project

Linux

Version

2.11.0-1~ubuntu16.04.1+tuxcare.els12

How to fix

Update command:

apt-get update
apt-get --only-upgrade install ansible*

Changelog

Insufficiently Random Passwords Leakage
Debian/patches/CVE-2020-10729.patch: Fix caching of Jinja2 expressions to prevent caching dynamic results
CVE-2020-10729

Updated packages

ansible_2.5.1+dfsg-1ubuntu0.1+tuxcare.els6_all.deb

CVE-2026-44728

Severity

Details

Overview

About vulnerability

Impact

Patches

Workarounds

Credits

Details

Impact

Patches

Workarounds

Credits

Statement

Subscribe to updates

Unsubscribe

Contact us

Message Delivered!