Skip to main content

Logseq EUVDEUVD-2026-35436

| CVE-2026-47899 HIGH
Exposed Dangerous Method or Function (CWE-749)
2026-06-09 CERT-PL GHSA-jq3m-h4m5-r9j5
8.7
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
8.7 HIGH
CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

2
Analysis Generated
Jun 09, 2026 - 14:30 vuln.today
CVSS changed
Jun 09, 2026 - 14:22 NVD
8.7 (HIGH)

DescriptionCVE.org

The Electron preload script in Logseq exposes an API method that allows the renderer process to invoke IPC handlers without proper path validation. An attacker with JavaScript execution in the renderer (e.g. via XSS or a malicious plugin), can read, write, or delete arbitrary files on the user's system. While only version v0.10.15 was tested and confirmed as vulnerable, status of other versions is unknown since this issue was not addressed by a patch.

AnalysisAI

Arbitrary file read, write, and delete in the Logseq Electron desktop knowledge-management application is possible when an attacker can execute JavaScript inside the renderer process, because the preload script exposes an IPC bridge method that omits path validation. Version 0.10.15 has been confirmed vulnerable by CERT-PL, and because no patch was released the status of other releases is unverified. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

Technical ContextAI

Logseq is built on Electron, which separates a sandboxed Chromium renderer from a privileged Node.js main process. The two communicate via Electron's IPC channel, and a preload script defines which main-process functions the renderer is allowed to call. CWE-749 (Exposed Dangerous Method or Function) applies here: the preload script (contextBridge) registers an API that forwards calls to filesystem IPC handlers in the main process without canonicalising or constraining the supplied path. Because the main process runs with the full privileges of the user account, any path the renderer supplies - including paths outside the Logseq graph directory - is honoured for read, write, or delete operations, breaking the renderer/main trust boundary that Electron's context isolation is supposed to enforce.

RemediationAI

No vendor-released patch identified at time of analysis, so no fixed version can be cited. Until Logseq publishes a build that path-validates the exposed IPC method, the practical compensating controls are: avoid installing third-party Logseq plugins or audit any plugin source before loading it (trade-off: loses extensibility, which is a core Logseq value proposition); do not import untrusted markdown, HTML, or PDF content into graphs, since stored XSS in note rendering is the most likely renderer-foothold vector; run Logseq under a dedicated low-privilege OS account or inside a sandbox such as Firejail or Flatpak with restricted filesystem access so that arbitrary-file operations cannot reach the user's SSH keys, browser profiles, or shell rc files (trade-off: complicates graph storage paths and sync setups); and monitor https://logseq.com/ and the CERT-PL advisory at https://cert.pl/en/posts/2026/06/CVE-2026-9279/ for a patched release.

Share

EUVD-2026-35436 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy