Sylde has Improper Control of Generation of Code
Description
Slyde is a program that creates animated presentations from XML. In versions 0.0.4 and below, Node.js automatically imports **/*.plugin.{js,mjs} files including those from node_modules, so any malicious package with a .plugin.js file can execute arbitrary code when installed or required. All projects using this loading behavior are affected, especially those installing untrusted packages. This issue has been fixed in version 0.0.5. To workaround this issue, users can audit and restrict which packages are installed in node_modules.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Slyde automatically imports plugin files from node_modules, enabling arbitrary code execution through a malicious package; fixed in v0.0.5.
Slyde is a program for creating animated presentations from XML. Versions 0.0.4 and below contain a vulnerability in which Node.js automatically imports all files matching the pattern **/*.plugin.{js,mjs}, including those within node_modules. This means that any package installed in the project can provide a plugin file that gets executed without explicit user consent [1]. The root cause is the inclusion of functionality from an untrusted control sphere (CWE-94) [4].
To exploit this vulnerability, an attacker would publish a malicious npm package containing a .plugin.js file. When a user or project installs this package, the plugin file is automatically imported and executed by Node.js, leading to arbitrary code execution. No authentication is required, and the attack surface is broad for projects that install packages from untrusted sources [1][4].
Successful exploitation allows an attacker to execute arbitrary code on the system where Slyde is used. The impact corresponds to remote code execution (RCE), with the potential for full system compromise depending on the user's privileges [4].
The issue has been patched in version 0.0.5 [3]. Users are advised to upgrade to this version or later. As a workaround, users can carefully audit and restrict which packages are installed in the node_modules directory to minimize exposure [1][4].
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
@tygo-van-den-hurk/slydenpm | < 0.0.5 | 0.0.5 |
Affected products
2- Range: < 0.0.5
Patches
1e4c215b061e4fix: prevent arbitrary code execution from node_modules directory
1 file changed · +1 −7
src/commands/base.ts+1 −7 modified@@ -38,13 +38,7 @@ export const cli = yargs(hideBin(process.argv)) alias: 'p', array: true, coerce: (value: readonly string[]) => FastGlob.sync([...value]), - default: [ - 'plugins/**.{js,mjs}', - 'slyde/**.{js,mjs}', - '**/*.plugins.{js,mjs}', - '**/*.plugin.{js,mjs}', - '**/*.slyde.{js,mjs}', - ] as string[], + default: ['plugins/**.slyde.{js,mjs}'] as string[], description: 'A directory or file to import and use as custom tags', type: 'string', })
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-w7h5-55jg-cq2fghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-26974ghsaADVISORY
- github.com/Tygo-van-den-Hurk/Slyde/commit/e4c215b061e44fd2ead805de34d72642a710af60ghsax_refsource_MISCWEB
- github.com/Tygo-van-den-Hurk/Slyde/releases/tag/v0.0.5ghsax_refsource_MISCWEB
- github.com/Tygo-van-den-Hurk/Slyde/security/advisories/GHSA-w7h5-55jg-cq2fghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.