What is CVE-2026-49356?

CVE-2026-49356 is a low-severity vulnerability in Babel, classified under Path Traversal. CVSS score: 3.2/10. Published 2026-06-22.

How severe is CVE-2026-49356?

Low severity. CVSS v3 base score is 3.2 out of 10.

Path Traversal in Babel

CVE-2026-49356

Babel is a compiler for writing next generation JavaScript. Prior to 8.0.0-rc.6 and 7.29.6, @babel/core affected by an arbitrary file read via a sourceMappingURL comment. Using @babel/core to compile maliciously crafted code can allow an a…

Vulnerability class: Path Traversal (Directory Traversal)

CVSS v3 metric

CVSS v3 base score 3.2 (Low). Vector: CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:N.

Affected products

Babel — versions >= 8.0.0-alpha.0, < 8.0.0-rc.5, < 7.29.6

Weakness classification (CWE)

CWE-22 — Path Traversal
CWE-200 — Information Disclosure

References

security-advisories@github.com (x_refsource_CONFIRM)

Frequently asked questions

What is CVE-2026-49356?: CVE-2026-49356 is a low-severity vulnerability in Babel, classified under Path Traversal. CVSS score: 3.2/10. Published 2026-06-22.
How severe is CVE-2026-49356?: Low severity. CVSS v3 base score is 3.2 out of 10.