Logseq
Monthly
Logseq's plugin sandbox can be escaped by a malicious plugin that injects arbitrary HTML event handler attributes into its host DOM container element, executing JavaScript in the privileged Electron renderer context. The attack is enabled by a disabled Content Security Policy in the host context, which removes the browser-level barrier that would otherwise block inline event handler execution. Only v0.10.15 has been confirmed vulnerable by CERT-PL; no patch has been released, and the vulnerability status of all other versions remains unknown. No public exploit code has been identified and this CVE is not listed in the CISA KEV catalog.
Stored XSS in Logseq's plugin subsystem escalates to arbitrary code execution within the privileged Electron host context due to unsanitized innerHTML rendering of plugin metadata. When a user installs a malicious plugin whose package.json 'name' field contains a JavaScript payload, the payload executes with Electron's elevated privileges - a context in which Node.js APIs are accessible, making the effective impact closer to local code execution than a conventional browser-scoped XSS. Reported by CERT-PL, version v0.10.15 is confirmed vulnerable, no patch exists, and no public exploit has been identified at time of analysis.
Arbitrary file read, write, and delete in the Logseq Electron desktop knowledge-management application is possible when an attacker can execute JavaScript inside the renderer process, because the preload script exposes an IPC bridge method that omits path validation. Version 0.10.15 has been confirmed vulnerable by CERT-PL, and because no patch was released the status of other releases is unverified. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Command injection in Logseq desktop application enables remote code execution via shell metacharacter abuse in IPC-exposed command arguments. An attacker with JavaScript execution in the renderer process (through XSS or a malicious plugin) can bypass the command allowlist because arguments are concatenated and passed to child_process.spawn with shell:true, granting arbitrary OS command execution at the privileges of the Logseq process. No public exploit identified at time of analysis, but the issue was reported by CERT-PL and remains unpatched in versions beyond the tested v0.10.15.
Logseq's plugin sandbox can be escaped by a malicious plugin that injects arbitrary HTML event handler attributes into its host DOM container element, executing JavaScript in the privileged Electron renderer context. The attack is enabled by a disabled Content Security Policy in the host context, which removes the browser-level barrier that would otherwise block inline event handler execution. Only v0.10.15 has been confirmed vulnerable by CERT-PL; no patch has been released, and the vulnerability status of all other versions remains unknown. No public exploit code has been identified and this CVE is not listed in the CISA KEV catalog.
Stored XSS in Logseq's plugin subsystem escalates to arbitrary code execution within the privileged Electron host context due to unsanitized innerHTML rendering of plugin metadata. When a user installs a malicious plugin whose package.json 'name' field contains a JavaScript payload, the payload executes with Electron's elevated privileges - a context in which Node.js APIs are accessible, making the effective impact closer to local code execution than a conventional browser-scoped XSS. Reported by CERT-PL, version v0.10.15 is confirmed vulnerable, no patch exists, and no public exploit has been identified at time of analysis.
Arbitrary file read, write, and delete in the Logseq Electron desktop knowledge-management application is possible when an attacker can execute JavaScript inside the renderer process, because the preload script exposes an IPC bridge method that omits path validation. Version 0.10.15 has been confirmed vulnerable by CERT-PL, and because no patch was released the status of other releases is unverified. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Command injection in Logseq desktop application enables remote code execution via shell metacharacter abuse in IPC-exposed command arguments. An attacker with JavaScript execution in the renderer process (through XSS or a malicious plugin) can bypass the command allowlist because arguments are concatenated and passed to child_process.spawn with shell:true, granting arbitrary OS command execution at the privileges of the Logseq process. No public exploit identified at time of analysis, but the issue was reported by CERT-PL and remains unpatched in versions beyond the tested v0.10.15.