CVE-2026-44728
HIGH WAF: Medium
CVSS 7.8
Published: 2026-05-26
CWE-94
Babel is a compiler for writing next generation JavaScript. From 7.12.0 to before 7.29.4 and 8.0.0-alpha.13, using Babel to compile code that was specifically crafted by an attacker can cause Babel to generate output code that executes arbitrary code. This vulnerability is fixed in 7.29.4 and 8.0.0-alpha.13.
WAF Coverage Analysis
Code Injection
Medium WAF Coverage
OWASP: A03:2021 Injection
932xxx - Remote Code Execution 933xxx - PHP Injection 934xxx - Node.js / Generic Injection
Affected Software
| Vendor | Product | Version |
|---|---|---|
| babel | babel | 7.12.0 - 7.29.4 |
| babel | babel | 8.0.0 |
| babel | babel | 8.0.0 |
| babel | babel | 8.0.0 |
| babel | babel | 8.0.0 |
| babel | babel | 8.0.0 |
| babel | babel | 8.0.0 |
| babel | babel | 8.0.0 |
| babel | babel | 8.0.0 |
| babel | babel | 8.0.0 |
References
- github.com (Mitigation, Vendor Advisory)