Fabre

#1140816 node-babel7: CVE-2026-49356 #1140816

Package:: src:node-babel7

Source:: src:node-babel7

Submitter:: Salvatore Bonaccorso

Date:: 2026-06-26 20:15:02 UTC

Severity:: normal

Tags:

#1140816#5

Date:: 2026-06-26 20:12:09 UTC

From:

To:

Hi,

The following vulnerability was published for node-babel7.

CVE-2026-49356[0]:
| Babel is a compiler for writing next generation JavaScript. Prior to
| 8.0.0-rc.6 and 7.29.6, @babel/core affected by an arbitrary file
| read via a sourceMappingURL comment. Using @babel/core to compile
| maliciously crafted code can allow an attacker to read any source
| map from the system that is running Babel, if the attacker controls
| the input source code, can read the output source code, and knows
| the path of the source map file that they want to read. This
| vulnerability is fixed in 8.0.0-rc.6 and 7.29.6.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2026-49356
https://www.cve.org/CVERecord?id=CVE-2026-49356
[1] https://github.com/babel/babel/security/advisories/GHSA-4x5r-pxfx-6jf8

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

#1140816 node-babel7: CVE-2026-49356 #1140816

Just Reply to ...

Reply to submitter ...

Send control command (Silently)

Set Architecture Tags (Silently)