CVE-2026-49356 - Low Severity Vulnerability
Vulnerable Library - core-7.11.4.tgz
Babel compiler core.
Library home page: https://registry.npmjs.org/@babel/core/-/core-7.11.4.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/@babel/core/package.json
Dependency Hierarchy:
- nuxt-2.14.3.tgz (Root Library)
- webpack-2.14.3.tgz
- ❌ core-7.11.4.tgz (Vulnerable Library)
Found in HEAD commit: de1c2b0d1a23367b161c2d995029f9693bd8a155
Found in base branch: master
Vulnerability Details
Babel is a compiler for writing next generation JavaScript. Prior to 8.0.0-rc.6 and 7.29.6, @babel/core affected by an arbitrary file read via a sourceMappingURL comment. Using @babel/core to compile maliciously crafted code can allow an attacker to read any source map from the system that is running Babel, if the attacker controls the input source code, can read the output source code, and knows the path of the source map file that they want to read. This vulnerability is fixed in 8.0.0-rc.6 and 7.29.6.
Publish Date: 2026-06-22
URL: CVE-2026-49356
CVSS 3 Score Details (3.2)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: None
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Release Date: 2026-06-15
Fix Resolution: https://github.com/babel/babel.git - 7.29.6,https://github.com/babel/babel.git - 8.0.0-rc.6
Step up your Open Source Security Game with Mend here
CVE-2026-49356 - Low Severity Vulnerability
Babel compiler core.
Library home page: https://registry.npmjs.org/@babel/core/-/core-7.11.4.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/@babel/core/package.json
Dependency Hierarchy:
Found in HEAD commit: de1c2b0d1a23367b161c2d995029f9693bd8a155
Found in base branch: master
Babel is a compiler for writing next generation JavaScript. Prior to 8.0.0-rc.6 and 7.29.6, @babel/core affected by an arbitrary file read via a sourceMappingURL comment. Using @babel/core to compile maliciously crafted code can allow an attacker to read any source map from the system that is running Babel, if the attacker controls the input source code, can read the output source code, and knows the path of the source map file that they want to read. This vulnerability is fixed in 8.0.0-rc.6 and 7.29.6.
Publish Date: 2026-06-22
URL: CVE-2026-49356
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: None
- Availability Impact: None
For more information on CVSS3 Scores, click here.Type: Upgrade version
Release Date: 2026-06-15
Fix Resolution: https://github.com/babel/babel.git - 7.29.6,https://github.com/babel/babel.git - 8.0.0-rc.6
Step up your Open Source Security Game with Mend here