CVE-2026-26974 is a vulnerability classified under CWE-829 (Inclusion of Functionality from Untrusted Control Sphere) affecting Slyde, a Node.js application designed to create animated presentations from XML. In versions 0.0.4 and earlier, Slyde’s module loading mechanism automatically imports all files matching the pattern **/*.plugin.{js,mjs}, including those located within the node_modules directory. This behavior inadvertently allows any malicious package containing a .plugin.js file to execute arbitrary code during installation or runtime when the package is required. The root cause is the lack of validation or restriction on which plugin files are loaded, enabling attackers to craft malicious Node.js packages that, once installed, can run arbitrary JavaScript code with the privileges of the user running Slyde. Exploitation does not require prior authentication or elevated privileges but does require user interaction to install or require the malicious package. The vulnerability was addressed in Slyde version 0.0.5 by presumably restricting or sanitizing the plugin import process. The CVSS 4.0 vector indicates a network attack vector with high complexity, no privileges required, user interaction needed, and high impact on confidentiality and integrity. No known exploits have been reported in the wild to date. This vulnerability is particularly dangerous in environments where untrusted or third-party Node.js packages are installed without rigorous vetting, as it can lead to remote code execution and compromise of the host system.

The primary impact of CVE-2026-26974 is the potential for remote code execution on systems running vulnerable versions of Slyde when untrusted Node.js packages are installed. This can lead to full compromise of the host system, including unauthorized access to sensitive data, modification or destruction of files, and potential lateral movement within a network. Organizations using Slyde in development or production environments that rely on third-party or untrusted packages are at significant risk. The vulnerability undermines the confidentiality and integrity of affected systems and can disrupt availability if exploited to deploy ransomware or destructive payloads. Since Node.js environments are widely used in web development and automation, the scope of affected systems can be broad, especially in organizations with lax package management policies. The requirement for user interaction (installing or requiring a malicious package) limits automated exploitation but does not eliminate risk, particularly in development environments or CI/CD pipelines where dependencies are frequently updated. The absence of known exploits in the wild suggests limited current exploitation but does not preclude future attacks, especially as the vulnerability is publicly disclosed.

1. Upgrade Slyde to version 0.0.5 or later immediately to ensure the vulnerability is patched. 2. Implement strict package management policies: audit all Node.js dependencies before installation, especially those containing .plugin.js files. 3. Use package integrity verification tools such as npm audit, npm ci with package-lock.json, or third-party solutions to detect and prevent malicious packages. 4. Restrict installation of packages to trusted registries and avoid installing packages from unverified sources. 5. Employ static code analysis and sandboxing techniques to analyze plugin files before execution. 6. Monitor runtime behavior of Slyde instances for unusual activity indicative of code execution attacks. 7. Educate developers and DevOps teams about the risks of installing untrusted packages and the importance of dependency hygiene. 8. Consider isolating Slyde execution environments using containerization or least privilege principles to limit impact if exploitation occurs. 9. Review and restrict file import patterns in custom Node.js applications to avoid broad wildcard imports from untrusted directories.