Skip to main content

Logseq EUVDEUVD-2026-35438

| CVE-2026-47901 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-06-09 CERT-PL GHSA-jm26-ghmc-7c2w
4.6
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
4.6 MEDIUM
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
A
Scope
X

Lifecycle Timeline

2
Analysis Generated
Jun 09, 2026 - 14:32 vuln.today
CVSS changed
Jun 09, 2026 - 14:22 NVD
4.6 (MEDIUM)

DescriptionCVE.org

Logseq is vulnerable to a sandbox escape flaw where plugins running in sandboxed iframes can inject arbitrary HTML attributes, such as event handlers, into their container element in the host DOM. Due to a disabled Content Security Policy (CSP), this allows a malicious plugin to execute arbitrary JavaScript in the privileged host context, potentially gaining unauthorized access to filesystem APIs. While only version v0.10.15 was tested and confirmed as vulnerable, status of other versions is unknown since this issue was not addressed by a patch.

AnalysisAI

Logseq's plugin sandbox can be escaped by a malicious plugin that injects arbitrary HTML event handler attributes into its host DOM container element, executing JavaScript in the privileged Electron renderer context. The attack is enabled by a disabled Content Security Policy in the host context, which removes the browser-level barrier that would otherwise block inline event handler execution. Only v0.10.15 has been confirmed vulnerable by CERT-PL; no patch has been released, and the vulnerability status of all other versions remains unknown. No public exploit code has been identified and this CVE is not listed in the CISA KEV catalog.

Technical ContextAI

Logseq is a local-first, Electron-based knowledge management application that supports third-party plugins running inside sandboxed iframes to isolate them from the host environment. The vulnerability (CWE-79: Improper Neutralization of Input During Web Page Generation - Cross-site Scripting) arises because the application fails to sanitize or restrict which HTML attributes plugin content can inject into its container element in the host DOM. A plugin can therefore inject JavaScript event handlers such as onmouseover or onclick directly into the host DOM tree. Critically, the Logseq host context operates without a Content Security Policy, meaning there is no browser-enforced restriction preventing these injected inline event handlers from executing. Once triggered by user interaction with the affected DOM element, the injected JavaScript runs in the Electron renderer's privileged context, where Logseq's filesystem APIs and potentially Node.js integration are accessible. The affected CPE is cpe:2.3:a:logseq:logseq:*:*:*:*:*:*:*:*, though only v0.10.15 has been empirically confirmed vulnerable.

RemediationAI

No vendor-released patch has been identified at time of analysis. As the most direct compensating control, users should disable all third-party Logseq plugins immediately if sensitive local data is accessible - this eliminates the attack vector entirely but removes all plugin functionality as a trade-off. For users who require plugins, restricting usage strictly to plugins with audited, publicly available source code significantly reduces exposure, since the attack requires the attacker to control plugin code. Users should monitor https://logseq.com/ and the Logseq GitHub repository for a patch release addressing the missing Content Security Policy and the attribute injection pathway. Organizations should audit their plugin inventory and remove any plugins from unknown or unverified authors pending a vendor fix. The CERT-PL advisory at https://cert.pl/en/posts/2026/06/CVE-2026-9279/ should be tracked for updates on patch availability.

Share

EUVD-2026-35438 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy