CVE-2026-44728: @babel/plugin-transform-modules-systemjs generates arbitrary code when compiling malicious input

May 8, 2026

Using Babel to compile code that was specifically crafted by an attacker can cause Babel to generate output code that executes arbitrary code.

Known affected plugins are:

@babel/plugin-transform-modules-systemjs
@babel/preset-env when using the modules: "systemjs" option, as it delegates to @babel/plugin-transform-modules-systemjs

No other plugins under the @babel namespace are impacted.

Users that only compile trusted code are not impacted.

References

github.com/advisories/GHSA-fv7c-fp4j-7gwp
github.com/babel/babel
github.com/babel/babel/security/advisories/GHSA-fv7c-fp4j-7gwp
nvd.nist.gov/vuln/detail/CVE-2026-44728

Code Behaviors & Features

Detect and mitigate CVE-2026-44728 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →