Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
7.6
Slyde Node.js Packages Allow Malicious Code to Run
CVE-2026-26974
GHSA-w7h5-55jg-cq2f
Summary
Slyde packages can execute arbitrary code when installed or required, allowing an attacker to take control of a project. This is a serious issue for projects that install untrusted packages. To fix the problem, upgrade to Slyde version 0.0.5 or later.
What to do
- Update tygo-van-den-hurk slyde to version 0.0.5.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| tygo-van-den-hurk | slyde | <= 0.0.5 | 0.0.5 |
| slyde.js | slyde | <= 0.0.5 | – |
Original title
Improper Control of Generation of Code ('Code Injection') in @tygo-van-den-hurk/slyde
Original description
### Impact
This is a **remote code execution (RCE) vulnerability**. Node.js automatically imports `**/*.plugin.{js,mjs}` files including those from `node_modules`, so any malicious package with a `.plugin.js` file could execute arbitrary code when installed or required. **All projects using this loading behavior are affected**, especially those installing untrusted packages.
### Patches
The issue has been **patched in v0.0.5**. Users should upgrade to **v0.0.5 or later** to mitigate the vulnerability.
### Workarounds
- Audit and restrict which packages are installed in `node_modules`.
### References
- [CWE-94: Improper Control of Generation of Code](https://cwe.mitre.org/data/definitions/94.html)
- GitHub Security Advisories documentation: [https://docs.github.com/en/code-security/security-advisories](https://docs.github.com/en/code-security/security-advisories)
This is a **remote code execution (RCE) vulnerability**. Node.js automatically imports `**/*.plugin.{js,mjs}` files including those from `node_modules`, so any malicious package with a `.plugin.js` file could execute arbitrary code when installed or required. **All projects using this loading behavior are affected**, especially those installing untrusted packages.
### Patches
The issue has been **patched in v0.0.5**. Users should upgrade to **v0.0.5 or later** to mitigate the vulnerability.
### Workarounds
- Audit and restrict which packages are installed in `node_modules`.
### References
- [CWE-94: Improper Control of Generation of Code](https://cwe.mitre.org/data/definitions/94.html)
- GitHub Security Advisories documentation: [https://docs.github.com/en/code-security/security-advisories](https://docs.github.com/en/code-security/security-advisories)
nvd CVSS3.1
9.8
nvd CVSS4.0
7.6
Vulnerability type
CWE-829
- https://nvd.nist.gov/vuln/detail/CVE-2026-26974
- https://github.com/advisories/GHSA-w7h5-55jg-cq2f
- https://github.com/Tygo-van-den-Hurk/Slyde/commit/e4c215b061e44fd2ead805de34d726... Patch
- https://github.com/Tygo-van-den-Hurk/Slyde/releases/tag/v0.0.5 Product Release Notes
- https://github.com/Tygo-van-den-Hurk/Slyde/security/advisories/GHSA-w7h5-55jg-cq... Vendor Advisory
Published: 18 Feb 2026 · Updated: 11 Mar 2026 · First seen: 6 Mar 2026