CVE-2026-44728: @babel/plugin-transform-modules-systemjs generates arbitrary code when compiling maliciou…

Impact Using Babel to compile code that was specifically crafted by an attacker can cause Babel to generate output code that executes arbitrary code. Known affected plugins are: @babel/plugin-transform-modules-systemjs…

8.2CVSS Score

HIGHSeverity

NOCISA KEV

VulnerabilityImpact Type

📋 Vulnerability Details

CVE ID	CVE-2026-44728
Vendor	npm
Affected Product	@babel/plugin-transform-modules-systemjs
Vulnerability Type	Vulnerability
CVSS Score	8.2 (HIGH)
Actively Exploited	❌ No known exploitation
Patch Status	See Vendor Advisory →
Reported By	CYBERDUDEBIVASH SENTINEL APEX Intelligence (via github_advisories)

🔬 Technical Analysis

Impact Using Babel to compile code that was specifically crafted by an attacker can cause Babel to generate output code that executes arbitrary code. Known affected plugins are:

• @babel/plugin-transform-modules-systemjs

• @babel/preset-env when using the [modules: "systemjs" option](https://babel.dev/docs/babel-preset-env#modules), as it delegates to @babel/plugin-transform-modules-systemjs No other plugins under the @babel namespace are impacted. Users that only compile trusted code are not impacted.

Patches The vulnerability has been fixed in `@babel/plugin-transform-modules-systemjs@7.29.4`. Babel also released `@babel/preset-env@7.29.5`, updating its `@babel/plugin-transform-modules-systemjs` dependency, to simplify forcing the update if you are using `@babel/pre

🎯 Known Indicators of Compromise

{"type":"url","value":"https://babel.dev/docs/babel-preset-env#modules),","confidence_score":0.82,"first_seen":"2026-05-08","source_count":1}

📚 Advisory References

⚡ DETECTION RULES AVAILABLE

Get CVE-2026-44728 Detection Pack

Sigma rules, YARA signatures, IOC table, and SIEM queries for Splunk, Elastic, Sentinel, and Chronicle — deployable in 5 minutes.

✓ Sigma Rules ✓ YARA Pack ✓ IOC Table ✓ SIEM Queries

🛡️ Get Detection Pack → 🔌 Access via API →