Description
Slyde is a program that creates animated presentations from XML. In versions 0.0.4 and below, Node.js automatically imports **/*.plugin.{js,mjs} files including those from node_modules, so any malicious package with a .plugin.js file can execute arbitrary code when installed or required. All projects using this loading behavior are affected, especially those installing untrusted packages. This issue has been fixed in version 0.0.5. To workaround this issue, users can audit and restrict which packages are installed in node_modules.
Published: 2026-02-20
Score: 7.6 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

Slyde is a tool that renders animated presentations from XML. In versions 0.0.4 and earlier, Node.js automatically imports all *.plugin.js or *.plugin.mjs files found under any directory, including node_modules. As a result, any malicious package containing a .plugin.js file can execute arbitrary JavaScript when the package is installed or required by a Slyde project. This flaw enables remote or local execution of code, depending on how the attacker obtains the malicious package. The weakness corresponds to CWE‑829, Improper Control of Generation of Code.

Affected Systems

All projects that use the affected loading behavior are vulnerable. The issue applies to any installation of Slyde up to and including version 0.0.4. It is most dangerous when untrusted packages are added to node_modules, such as public npm modules or private packages that the developer does not fully audit. The vendor and product are Tygo‑van‑den‑Hurk’s Slyde, with affected versions 0.0.4 and earlier, running under Node.js.

Risk and Exploitability

The vulnerability has a CVSS score of 7.6 and an EPSS below 1 %, indicating a low to moderate likelihood of exploitation in the near term, and it is not listed in the CISA KEV catalog. Exploitation requires an attacker to supply or influence the contents of node_modules in a Slyde project, typically by publishing a malicious dependency or persuading a developer to install one. Because the code runs during the install or require process, an attacker can gain full permission to the machine that runs the Slyde instance. The attack vector is inferred to be local privilege escalation via npm package injection, and, if the Slyde instance is exposed to external users, remote code execution is possible.

Generated by OpenCVE AI on April 18, 2026 at 17:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Slyde to version 0.0.5 or newer to apply the vendor fix.
  • Audit the node_modules directory and restrict installation of untrusted packages, removing any packages that contain .plugin.js files or limiting dependencies via lockfiles.
  • Where possible, disable Node.js automatic loading of .plugin.js files or manually remove them from node_modules to prevent inadvertent execution of malicious code.

Generated by OpenCVE AI on April 18, 2026 at 17:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-w7h5-55jg-cq2f Improper Control of Generation of Code ('Code Injection') in @tygo-van-den-hurk/slyde
History

Mon, 02 Mar 2026 14:45:00 +0000

Type Values Removed Values Added
First Time appeared Slyde.js
Slyde.js slyde
CPEs cpe:2.3:a:slyde.js:slyde:*:*:*:*:*:node.js:*:*
Vendors & Products Slyde.js
Slyde.js slyde
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Fri, 20 Feb 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 20 Feb 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Tygo-van-den-hurk
Tygo-van-den-hurk slyde
Vendors & Products Tygo-van-den-hurk
Tygo-van-den-hurk slyde

Fri, 20 Feb 2026 01:00:00 +0000

Type Values Removed Values Added
Description Slyde is a program that creates animated presentations from XML. In versions 0.0.4 and below, Node.js automatically imports **/*.plugin.{js,mjs} files including those from node_modules, so any malicious package with a .plugin.js file can execute arbitrary code when installed or required. All projects using this loading behavior are affected, especially those installing untrusted packages. This issue has been fixed in version 0.0.5. To workaround this issue, users can audit and restrict which packages are installed in node_modules.
Title Sylde has Improper Control of Generation of Code
Weaknesses CWE-829
References
Metrics cvssV4_0

{'score': 7.6, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Slyde.js Slyde
Tygo-van-den-hurk Slyde
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-20T15:36:08.989Z

Reserved: 2026-02-16T22:20:28.612Z

Link: CVE-2026-26974

cve-icon Vulnrichment

Updated: 2026-02-20T15:26:40.952Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-20T01:16:00.107

Modified: 2026-03-02T14:35:18.853

Link: CVE-2026-26974

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T18:00:06Z

Weaknesses