Node.Js · Node.Js · CVE-2026-26974
**Name of the Vulnerable Software and Affected Versions**
Slyde versions 0.0.4 and below
**Description**
Slyde is a program used to create animated presentations from XML. A remote code execution issue exists because Node.js automatically imports `**/*.plugin.{js,mjs}` files, including those from `node modules`. This allows any malicious package containing a `.plugin.js` file to execute arbitrary code when installed or required. All projects utilizing this loading behavior are affected, particularly those installing packages from untrusted sources.
**Recommendations**
Upgrade to version 0.0.5 or later.
Audit and restrict which packages are installed in `node modules`.