Executive Summary

CVE-2026-26974 is a remote code execution vulnerability in the Slyde program, which creates animated presentations from XML. In versions 0.0.4 and below, Node.js automatically imports files matching the pattern **/*.plugin.{js,mjs}, including those inside the node_modules directory. This means that if a malicious package with a .plugin.js file is installed, it can execute arbitrary code when the package is installed or required.

The vulnerability arises because the import mechanism does not restrict or validate the source of these plugin files, allowing untrusted code from node_modules to run automatically.

This issue was fixed in version 0.0.5 by changing the import patterns to only include plugin files from a specific plugins directory, preventing automatic execution of code from node_modules.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can lead to remote code execution, meaning an attacker can run arbitrary malicious code on your system if you install or require a malicious package containing a .plugin.js file.

If your project uses Slyde versions 0.0.4 or below and installs untrusted packages, an attacker could exploit this to compromise your system, steal data, or perform other malicious actions.

The risk is especially high in environments where untrusted or third-party packages are installed without strict auditing or restrictions.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability arises because Node.js automatically imports files matching the pattern **/*.plugin.{js,mjs} including those from the node_modules directory, allowing malicious .plugin.js files to execute arbitrary code.'}, {'type': 'paragraph', 'content': 'To detect if your system is affected, you should audit the node_modules directory for any packages containing files with the .plugin.js or .plugin.mjs extensions.'}, {'type': 'list_item', 'content': "Use commands like `find node_modules -type f -name '*.plugin.js'` or `find node_modules -type f -name '*.plugin.mjs'` to locate potentially malicious plugin files."}, {'type': 'list_item', 'content': 'Review the list of installed packages to identify any untrusted or suspicious packages that might include such plugin files.'}] [2]

Useful 0 Not Useful 0

Mitigation Strategies

The primary mitigation is to upgrade the Slyde package to version 0.0.5 or later, where the vulnerability has been fixed by restricting automatic imports to a safer pattern.

As a workaround before upgrading, audit and restrict which packages are installed in node_modules to prevent untrusted code execution.

• Upgrade to Slyde version 0.0.5 or later.
• Audit installed node_modules for untrusted packages and remove or replace them.
• Avoid installing packages from untrusted sources that might include malicious .plugin.js files.

Useful 0 Not Useful 0