CVE-2026-26974
Arbitrary Code Execution via Plugin Import in Slyde
Publication date: 2026-02-20
Last updated on: 2026-03-02
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| slyde.js | slyde | to 0.0.5 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-829 | The product imports, requires, or includes executable functionality (such as a library) from a source that is outside of the intended control sphere. |
Attack-Flow Graph
AI Powered Q&A
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation is to upgrade the Slyde package to version 0.0.5 or later, where the vulnerability has been fixed by restricting automatic imports to a safer pattern.
As a workaround before upgrading, audit and restrict which packages are installed in node_modules to prevent untrusted code execution.
- Upgrade to Slyde version 0.0.5 or later.
- Audit installed node_modules for untrusted packages and remove or replace them.
- Avoid installing packages from untrusted sources that might include malicious .plugin.js files.
Can you explain this vulnerability to me?
CVE-2026-26974 is a remote code execution vulnerability in the Slyde program, which creates animated presentations from XML. In versions 0.0.4 and below, Node.js automatically imports files matching the pattern **/*.plugin.{js,mjs}, including those inside the node_modules directory. This means that if a malicious package with a .plugin.js file is installed, it can execute arbitrary code when the package is installed or required.
The vulnerability arises because the import mechanism does not restrict or validate the source of these plugin files, allowing untrusted code from node_modules to run automatically.
This issue was fixed in version 0.0.5 by changing the import patterns to only include plugin files from a specific plugins directory, preventing automatic execution of code from node_modules.
How can this vulnerability impact me? :
This vulnerability can lead to remote code execution, meaning an attacker can run arbitrary malicious code on your system if you install or require a malicious package containing a .plugin.js file.
If your project uses Slyde versions 0.0.4 or below and installs untrusted packages, an attacker could exploit this to compromise your system, steal data, or perform other malicious actions.
The risk is especially high in environments where untrusted or third-party packages are installed without strict auditing or restrictions.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability arises because Node.js automatically imports files matching the pattern **/*.plugin.{js,mjs} including those from the node_modules directory, allowing malicious .plugin.js files to execute arbitrary code.'}, {'type': 'paragraph', 'content': 'To detect if your system is affected, you should audit the node_modules directory for any packages containing files with the .plugin.js or .plugin.mjs extensions.'}, {'type': 'list_item', 'content': "Use commands like `find node_modules -type f -name '*.plugin.js'` or `find node_modules -type f -name '*.plugin.mjs'` to locate potentially malicious plugin files."}, {'type': 'list_item', 'content': 'Review the list of installed packages to identify any untrusted or suspicious packages that might include such plugin files.'}] [2]