CVE-2026-26974: Improper Control of Generation of Code ('Code Injection') in @tygo-van-den-hurk/slyde
(updated )
This is a remote code execution (RCE) vulnerability. Node.js automatically imports **/*.plugin.{js,mjs} files including those from node_modules, so any malicious package with a .plugin.js file could execute arbitrary code when installed or required. All projects using this loading behavior are affected, especially those installing untrusted packages.
References
- github.com/Tygo-van-den-Hurk/Slyde
- github.com/Tygo-van-den-Hurk/Slyde/commit/e4c215b061e44fd2ead805de34d72642a710af60
- github.com/Tygo-van-den-Hurk/Slyde/releases/tag/v0.0.5
- github.com/Tygo-van-den-Hurk/Slyde/security/advisories/GHSA-w7h5-55jg-cq2f
- github.com/advisories/GHSA-w7h5-55jg-cq2f
- nvd.nist.gov/vuln/detail/CVE-2026-26974
Code Behaviors & Features
Detect and mitigate CVE-2026-26974 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →