CVE-2026-49356 | Babel is a compiler for writing next generation JavaScript. … | CVSS 3.2 LOW

Description

Babel is a compiler for writing next generation JavaScript. Prior to 8.0.0-rc.6 and 7.29.6, @babel/core affected by an arbitrary file read via a sourceMappingURL comment. Using @babel/core to compile maliciously crafted code can allow an attacker to read any source map from the system that is running Babel, if the attacker controls the input source code, can read the output source code, and knows the path of the source map file that they want to read. This vulnerability is fixed in 8.0.0-rc.6 and 7.29.6.

Metadata

CVE ID: CVE-2026-49356
State: PUBLISHED
Assigner: GitHub_M
Reserved: 2026-05-29 14:35 UTC
Published: 2026-06-22 16:07 UTC
Last updated: 2026-06-22 17:23 UTC
Primary CWE: CWE-22
CWE-22: Improper Limitation of a Pathname to a Restricted Di…
Vendor / Product: babel / babel
Sources: cve.org · NVD

Severity & Metrics

3.2 LOW CVSS 3.1

CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:N

SSVC — CISA Coordinator

Exploitation: none
Automatable: no
Tech. Impact: partial

Affected products (1)

Vendor	Product	Platform	Versions
babel	babel	—	>= 8.0.0-alpha.0, < 8.0.0-rc.5, < 7.29.6

Weakness (CWE)

CWE	Source	Description
CWE-200	cna	CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
CWE-22	cna	CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CVSS scores (1)

Score	Severity	Version	Source	Vector
3.2	LOW	3.1	cna	CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:N

References (1)

https://github.com/babel/babel/security/advisories/GHSA-4x5r-pxfx-6jf8 https://github.com/babel/babel/security/advisories/GHSA-4x5r-pxfx-6jf8