CVE-2026-44728

NameCVE-2026-44728
DescriptionBabel is a compiler for writing next generation JavaScript. From 7.12.0 to before 7.29.4 and 8.0.0-alpha.13, using Babel to compile code that was specifically crafted by an attacker can cause Babel to generate output code that executes arbitrary code. This vulnerability is fixed in 7.29.4 and 8.0.0-alpha.13.
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs1138712

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
node-babel7 (PTS)bullseye (security), bullseye7.12.12+~cs150.141.84-6+deb11u1vulnerable
bookworm7.20.15+ds1+~cs214.269.168-3+deb12u2vulnerable
bookworm (security)7.20.15+ds1+~cs214.269.168-3+deb12u1vulnerable
trixie7.20.15+ds1+~cs214.269.168-8vulnerable
forky, sid7.20.15+ds1+~cs214.269.168-17vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
node-babel7source(unstable)(unfixed)1138712

Notes

https://github.com/babel/babel/security/advisories/GHSA-fv7c-fp4j-7gwp
Search for package or bug name: Reporting problems