CVE-2026-26974
Published: 20 February 2026
Summary
CVE-2026-26974 is a critical-severity Inclusion of Functionality from Untrusted Control Sphere (CWE-829) vulnerability in Slyde.Js Slyde. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Compromise Software Dependencies and Development Tools (T1195.001); ranked at the 10.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 CM-11 (User-installed Software) and SA-12 (Supply Chain Protection).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Enforces supply chain protections to mitigate risks from malicious npm packages that exploit automatic loading of .plugin.js files for arbitrary code execution.
Restricts user-installed software to prevent installation of untrusted node_modules packages containing malicious plugins that auto-execute on import.
Deploys malicious code protection mechanisms to scan for and block arbitrary code execution from automatically imported plugin files in node_modules.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability enables supply-chain attacks by allowing arbitrary JavaScript execution from any malicious npm package containing .plugin.js files in node_modules, directly mapping to compromise of software dependencies and Node.js script execution upon install or load.
NVD Description
Slyde is a program that creates animated presentations from XML. In versions 0.0.4 and below, Node.js automatically imports **/*.plugin.{js,mjs} files including those from node_modules, so any malicious package with a .plugin.js file can execute arbitrary code when installed or required.…
more
All projects using this loading behavior are affected, especially those installing untrusted packages. This issue has been fixed in version 0.0.5. To workaround this issue, users can audit and restrict which packages are installed in node_modules.
Deeper analysisAI
CVE-2026-26974 is a critical vulnerability (CVSS 9.8) affecting Slyde, a Node.js program for creating animated presentations from XML, in versions 0.0.4 and below. The issue stems from Node.js automatically importing all **/*.plugin.{js,mjs} files, including those within node_modules directories. This allows any malicious npm package containing a .plugin.js or .plugin.mjs file to execute arbitrary code upon installation or when required by the application. All projects relying on this automatic plugin loading behavior are vulnerable, particularly those that install untrusted packages from public registries.
Remote attackers require no privileges, authentication, or user interaction to exploit this vulnerability, enabling supply-chain attacks via malicious packages. By publishing or tricking users into installing a crafted package with a plugin file, attackers can achieve arbitrary code execution on the victim's system, potentially leading to full compromise with high confidentiality, integrity, and availability impacts as scored by CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. The root cause aligns with CWE-829 (Inclusion of Functionality from Untrusted Control Sphere).
The vulnerability has been fixed in Slyde version 0.0.5, as detailed in the project's GitHub security advisory (GHSA-w7h5-55jg-cq2f), release notes, and the patching commit. As a workaround, users should audit node_modules contents and restrict installations to trusted packages only.
Details
- CWE(s)