Improper Control of Generation of Code ('Code Injection') in @tygo-van-den-hurk/slyde

Severity:: High

Description

This is a remote code execution (RCE) vulnerability. Node.js automatically imports **/*.plugin.{js,mjs} files including those from node_modules, so any malicious package with a .plugin.js file could execute arbitrary code when installed or required.

Recommendation

Update the @tygo-van-den-hurk/slyde package to the latest compatible version. Followings are version details:

Affected version(s): < 0.0.5
Patched version(s): 0.0.5

References

GHSA-w7h5-55jg-cq2f
CVE-2026-26974
CWE-829
CAPEC-310
OWASP 2021-A6
OWASP 2021-A8

Related Issues

Improper Control of Generation of Code in doT - CVE-2020-8141
protobuf.js: Code generation gadget after prototype pollution - CVE-2026-44291
claude-code-cache-fix vulnerable to local code execution via Python triple-quote injection in tools/quota-statusline.sh - CVE-2026-45136
protobuf.js: Code injection through bytes field defaults in generated toObject code - CVE-2026-44293

How do hackers hack websites?

10 Secure Coding Best Practices to Follow in Every Project

Update Cheat Sheet for Developers

Tags:: npm; @tygo-van-den-hurk/slyde

Anything's wrong? Let us know Last updated on February 20, 2026