CVE-2026-26974: Slyde Presentation Tool RCE Vulnerability

CVE-2026-26974 Overview

CVE-2026-26974 is an Arbitrary Code Execution vulnerability affecting Slyde, a program that creates animated presentations from XML. In versions 0.0.4 and below, Node.js automatically imports **/*.plugin.{js,mjs} files including those from node_modules, allowing any malicious package with a .plugin.js file to execute arbitrary code when installed or required.

Critical Impact

All projects using Slyde's plugin loading behavior are affected, especially those installing untrusted packages. Attackers can achieve arbitrary code execution by simply including a malicious .plugin.js file in a seemingly innocent npm package.

Affected Products

• Slyde versions 0.0.4 and below
• Projects using Slyde's default plugin loading configuration
• Any environment installing untrusted npm packages alongside Slyde

Discovery Timeline

• 2026-02-20 - CVE CVE-2026-26974 published to NVD
• 2026-02-20 - Last updated in NVD database

Technical Details for CVE-2026-26974

Vulnerability Analysis

This vulnerability stems from an overly permissive plugin auto-loading mechanism in Slyde. The application's default configuration for plugin discovery uses glob patterns that recursively search for plugin files across all directories, including the node_modules folder. This design flaw means that any installed npm package containing a file matching the pattern **/*.plugin.{js,mjs} or **/*.plugins.{js,mjs} will have its code automatically imported and executed.

The attack requires network access and user interaction (installing a malicious package), but once the conditions are met, it provides complete code execution with the privileges of the Node.js process. The vulnerability affects both confidentiality and integrity, as malicious code can read sensitive data and modify application behavior.

Root Cause

The root cause is CWE-829: Inclusion of Functionality from Untrusted Control Sphere. Slyde's default glob patterns for plugin discovery were too broad, scanning the entire node_modules directory tree for plugin files. This allowed external, potentially malicious packages to inject code into the application's runtime environment without any validation or explicit user consent.

Attack Vector

An attacker can exploit this vulnerability through a supply chain attack vector:

1. Create a malicious npm package containing a file with a .plugin.js or .plugin.mjs extension
2. The package can appear legitimate with a convincing name and description
3. When a victim installs the malicious package (directly or as a transitive dependency) alongside Slyde
4. Slyde's plugin loader automatically discovers and imports the malicious plugin file
5. Arbitrary JavaScript code executes in the context of the Node.js process

The following patch shows how the vulnerability was fixed by restricting plugin loading to a specific plugins/ directory with the .slyde.{js,mjs} extension:

     alias: 'p',
     array: true,
     coerce: (value: readonly string[]) => FastGlob.sync([...value]),
-    default: [
-      'plugins/**.{js,mjs}',
-      'slyde/**.{js,mjs}',
-      '**/*.plugins.{js,mjs}',
-      '**/*.plugin.{js,mjs}',
-      '**/*.slyde.{js,mjs}',
-    ] as string[],
+    default: ['plugins/**.slyde.{js,mjs}'] as string[],
     description: 'A directory or file to import and use as custom tags',
     type: 'string',
   })

Source: GitHub Commit Update

Detection Methods for CVE-2026-26974

Indicators of Compromise

• Unexpected .plugin.js or .plugin.mjs files appearing in node_modules subdirectories
• Unusual npm packages installed as dependencies with plugin-like file structures
• Unexpected process behavior or network connections originating from the Slyde process
• Modified or newly created files outside expected application directories

Detection Strategies

• Scan node_modules directories for files matching *.plugin.js or *.plugin.mjs patterns that are not from trusted sources
• Monitor npm package installations and audit dependency trees for suspicious packages
• Implement file integrity monitoring to detect unexpected plugin files being loaded
• Review Slyde's plugin loading configuration for overly permissive glob patterns

Monitoring Recommendations

• Enable Node.js process monitoring to detect unexpected code execution patterns
• Implement runtime application self-protection (RASP) to detect injection attempts
• Log and alert on new file creations matching plugin filename patterns in node_modules
• Monitor npm audit reports for dependency vulnerabilities in projects using Slyde

How to Mitigate CVE-2026-26974

Immediate Actions Required

• Upgrade Slyde to version 0.0.5 or later immediately
• Audit all npm packages installed in projects using Slyde versions 0.0.4 and below
• Search for and remove any suspicious .plugin.js or .plugin.mjs files in node_modules directories
• Review the dependency tree for untrusted or unknown packages

Patch Information

The vulnerability has been fixed in Slyde version 0.0.5. The fix restricts the default plugin loading glob pattern to only scan the plugins/ directory for files with the .slyde.{js,mjs} extension, preventing automatic loading of plugin files from node_modules. For more details, see the GitHub Security Advisory GHSA-w7h5-55jg-cq2f and the version 0.0.5 release.

Workarounds

• Manually configure the plugin paths option to explicitly specify only trusted plugin directories
• Audit and restrict which packages are installed in node_modules
• Use npm's package-lock.json or yarn.lock to ensure consistent and audited dependency versions
• Consider using a private npm registry with package scanning capabilities

# Configuration example
# Explicitly specify trusted plugin directories when running Slyde
slyde --plugins "plugins/**.slyde.{js,mjs}"

# Audit npm packages for suspicious plugin files
find node_modules -name "*.plugin.js" -o -name "*.plugin.mjs" | xargs -I {} echo "Suspicious file: {}"