Improper Control of Generation of Code ('Code Injection') in @tygo-van-den-hurk/slyde
- Severity:
- High
Description
This is a remote code execution (RCE) vulnerability. Node.js automatically imports **/*.plugin.{js,mjs} files including those from node_modules, so any malicious package with a .plugin.js file could execute arbitrary code when installed or required.
Recommendation
Update the @tygo-van-den-hurk/slyde package to the latest compatible version. Followings are version details:
- Affected version(s): < 0.0.5
- Patched version(s): 0.0.5
References
Related Issues
- Improper Control of Generation of Code in doT - CVE-2020-8141
- Budibase Improper Control of Dynamically-Managed Code Resources vulnerability - CVE-2022-3225
- @siteboon/claude-code-ui Vulnerable to Unauthenticated RCE via WebSocket Shell Injection - CVE-2026-31975
- @siteboon/claude-code-ui is Vulnerable to Shell Command Injection in Git Routes - CVE-2026-31861
- Tags:
- npm
- @tygo-van-den-hurk/slyde
Anything's wrong? Let us know Last updated on February 20, 2026