CVE-2026-44728
Arbitrary Code Execution vulnerability in plugin-transform-modules-systemjs (npm)

Arbitrary Code Execution No known exploit

What is CVE-2026-44728 About?

This vulnerability allows for arbitrary code execution when using Babel to compile specifically crafted code. Attackers can exploit this to run malicious code on systems processing the crafted input, making it a critical and potentially easy-to-exploit issue if unsanitized code is passed to affected Babel plugins.

Affected Software

  • @babel/plugin-transform-modules-systemjs
    • >=8.0.0-alpha.0, <8.0.0-alpha.13
    • >=7.12.0, <7.29.4

Technical Details

The vulnerability arises when Babel compiles code specifically crafted by an attacker, leading to the generation of output code that executes arbitrary instructions. This is due to issues within @babel/plugin-transform-modules-systemjs and when @babel/preset-env uses the modules: "systemjs" option, as it delegates to the vulnerable plugin. The mechanism allows an attacker to inject and execute their own code through manipulated input during the compilation process, ultimately leading to arbitrary code execution in the compiled environment. Users compiling untrusted code are particularly at risk.

What is the Impact of CVE-2026-44728?

Successful exploitation may allow attackers to execute arbitrary code within the context of the compilation process, potentially compromising the integrity and confidentiality of the system where Babel is run.

What is the Exploitability of CVE-2026-44728?

Exploitation of this vulnerability requires an attacker to be able to supply crafted code for compilation by a vulnerable Babel setup. There are no authentication or specific privilege requirements beyond the ability to submit code for compilation. The complexity is low if external, untrusted code is routinely compiled. The primary risk factor is the processing of untrusted input through affected Babel plugins and presets, making it a remote exploitation vector if the compilation service is exposed.

What are the Known Public Exploits?

PoC Author Link Commentary
No known exploits

What are the Available Fixes for CVE-2026-44728?

Available Upgrade Options

  • @babel/plugin-transform-modules-systemjs
    • >=7.12.0, <7.29.4 → Upgrade to 7.29.4
  • @babel/plugin-transform-modules-systemjs
    • >=8.0.0-alpha.0, <8.0.0-alpha.13 → Upgrade to 8.0.0-alpha.13

Struggling with dependency upgrades?

See how Resolved Security's drop-in replacements make it simple.

Book a demo

Additional Resources

What are Similar Vulnerabilities to CVE-2026-44728?

Similar Vulnerabilities: CVE-2023-45133 , CVE-2023-34150 , CVE-2022-24756 , CVE-2021-23390 , CVE-2020-8199

All Rights reserved 2025
Privacy Policy