Primary

Context

Slyde Remote Code Execution Vulnerability

Vulnerability

A remote code execution vulnerability exists in Slyde versions prior to 0.0.4. The issue arises because Node.js automatically imports files with the extensions .plugin.js or .plugin.mjs from the node_modules directory. This behavior allows any malicious package containing a .plugin.js file to execute arbitrary code when the package is installed or required. The vulnerability affects all projects that utilize this loading behavior, particularly those that install untrusted packages.

Impact

Exploitation of this vulnerability allows for remote code execution on the system where Slyde is used.

Remediation

Users can upgrade to Slyde version 0.0.5 or later to address this vulnerability. Additionally, it is recommended to audit and restrict which packages are installed in the node_modules directory.

Added: Feb 20, 2026, 1:26 AM

Updated: Feb 20, 2026, 1:26 AM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

10.0

exploitability

4.9

remediation

0.0

relevance

3.2

threat

3.2

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

10.0

exploitability

4.9

remediation

0.0

relevance

3.2

threat

3.2

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Slyde Remote Code Execution Vulnerability

Vulnerability

Impact

Remediation

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating