GHSA-w7h5-55jg-cq2f

Suggest an improvement
Source
https://github.com/advisories/GHSA-w7h5-55jg-cq2f
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/02/GHSA-w7h5-55jg-cq2f/GHSA-w7h5-55jg-cq2f.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-w7h5-55jg-cq2f
Aliases
Published
2026-02-18T21:45:06Z
Modified
2026-02-20T17:03:01.473496Z
Severity
  • 7.6 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N CVSS Calculator
Summary
Improper Control of Generation of Code ('Code Injection') in @tygo-van-den-hurk/slyde
Details

Impact

This is a remote code execution (RCE) vulnerability. Node.js automatically imports **/*.plugin.{js,mjs} files including those from node_modules, so any malicious package with a .plugin.js file could execute arbitrary code when installed or required. All projects using this loading behavior are affected, especially those installing untrusted packages.

Patches

The issue has been patched in v0.0.5. Users should upgrade to v0.0.5 or later to mitigate the vulnerability.

Workarounds

  • Audit and restrict which packages are installed in node_modules.

References

Database specific 
{
    "github_reviewed": true,
    "github_reviewed_at": "2026-02-18T21:45:06Z",
    "cwe_ids": [
        "CWE-829"
    ],
    "severity": "HIGH",
    "nvd_published_at": "2026-02-20T01:16:00Z"
}
References

Affected packages

npm / @tygo-van-den-hurk/slyde

Package

Name
@tygo-van-den-hurk/slyde
View open source insights on deps.dev
Purl
pkg:npm/%40tygo-van-den-hurk/slyde

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
0.0.5

Database specific

source 
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/02/GHSA-w7h5-55jg-cq2f/GHSA-w7h5-55jg-cq2f.json"