CVE-2026-26974

UNKNOWN 0.0

Sylde has Improper Control of Generation of Code

CVSS Score

0.0

EPSS Score

0.0%

EPSS Percentile

0th

Slyde is a program that creates animated presentations from XML. In versions 0.0.4 and below, Node.js automatically imports **/*.plugin.{js,mjs} files including those from node_modules, so any malicious package with a .plugin.js file can execute arbitrary code when installed or required. All projects using this loading behavior are affected, especially those installing untrusted packages. This issue has been fixed in version 0.0.5. To workaround this issue, users can audit and restrict which packages are installed in node_modules.

CWE	CWE-829
Vendor	tygo-van-den-hurk
Product	slyde
Published	Feb 20, 2026
Last Updated	Feb 20, 2026

Stay Ahead of the Next One

Get instant alerts for tygo-van-den-hurk slyde

Be the first to know when new unknown vulnerabilities affecting tygo-van-den-hurk slyde are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

Tygo-van-den-Hurk / Slyde

< 0.0.5

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/Tygo-van-den-Hurk/Slyde/security/advisories/GHSA-w7h5-55jg-cq2f github.com: https://github.com/Tygo-van-den-Hurk/Slyde/commit/e4c215b061e44fd2ead805de34d72642a710af60 github.com: https://github.com/Tygo-van-den-Hurk/Slyde/releases/tag/v0.0.5