CVE-2026-26974
Impact
This is a remote code execution (RCE) vulnerability. Node.js automatically imports **/*.plugin.{js,mjs} files including those from node_modules, so any malicious package with a .plugin.js file could execute arbitrary code when installed or required. All projects using this loading behavior are affected, especially those installing untrusted packages.
Patches
The issue has been patched in v0.0.5. Users should upgrade to v0.0.5 or later to mitigate the vulnerability.
Workarounds
- Audit and restrict which packages are installed in
node_modules.
References
- CWE-94: Improper Control of Generation of Code
- GitHub Security Advisories documentation: https://docs.github.com/en/code-security/security-advisories
Package Versions Affected
Automatically patch vulnerabilities without upgrading
CVSS Version
Related Resources
References
https://github.com/Tygo-van-den-Hurk/Slyde/security/advisories/GHSA-w7h5-55jg-cq2f, https://nvd.nist.gov/vuln/detail/CVE-2026-26974, https://github.com/Tygo-van-den-Hurk/Slyde/commit/e4c215b061e44fd2ead805de34d72642a710af60, https://github.com/Tygo-van-den-Hurk/Slyde, https://github.com/Tygo-van-den-Hurk/Slyde/releases/tag/v0.0.5
Basic Information
