Skip to main content

Logseq

4 CVEs product

Monthly

CVE-2026-47901 MEDIUM This Month

Logseq's plugin sandbox can be escaped by a malicious plugin that injects arbitrary HTML event handler attributes into its host DOM container element, executing JavaScript in the privileged Electron renderer context. The attack is enabled by a disabled Content Security Policy in the host context, which removes the browser-level barrier that would otherwise block inline event handler execution. Only v0.10.15 has been confirmed vulnerable by CERT-PL; no patch has been released, and the vulnerability status of all other versions remains unknown. No public exploit code has been identified and this CVE is not listed in the CISA KEV catalog.

XSS Authentication Bypass Logseq
NVD
CVSS 4.0
4.6
EPSS
0.0%
CVE-2026-47900 MEDIUM This Month

Stored XSS in Logseq's plugin subsystem escalates to arbitrary code execution within the privileged Electron host context due to unsanitized innerHTML rendering of plugin metadata. When a user installs a malicious plugin whose package.json 'name' field contains a JavaScript payload, the payload executes with Electron's elevated privileges - a context in which Node.js APIs are accessible, making the effective impact closer to local code execution than a conventional browser-scoped XSS. Reported by CERT-PL, version v0.10.15 is confirmed vulnerable, no patch exists, and no public exploit has been identified at time of analysis.

XSS RCE Logseq
NVD
CVSS 4.0
4.6
EPSS
0.0%
CVE-2026-47899 HIGH This Week

Arbitrary file read, write, and delete in the Logseq Electron desktop knowledge-management application is possible when an attacker can execute JavaScript inside the renderer process, because the preload script exposes an IPC bridge method that omits path validation. Version 0.10.15 has been confirmed vulnerable by CERT-PL, and because no patch was released the status of other releases is unverified. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

XSS Logseq
NVD
CVSS 4.0
8.7
EPSS
0.0%
CVE-2026-9279 HIGH This Week

Command injection in Logseq desktop application enables remote code execution via shell metacharacter abuse in IPC-exposed command arguments. An attacker with JavaScript execution in the renderer process (through XSS or a malicious plugin) can bypass the command allowlist because arguments are concatenated and passed to child_process.spawn with shell:true, granting arbitrary OS command execution at the privileges of the Logseq process. No public exploit identified at time of analysis, but the issue was reported by CERT-PL and remains unpatched in versions beyond the tested v0.10.15.

XSS RCE Command Injection Logseq
NVD
CVSS 4.0
8.7
EPSS
0.1%
EPSS 0% CVSS 4.6
MEDIUM This Month

Logseq's plugin sandbox can be escaped by a malicious plugin that injects arbitrary HTML event handler attributes into its host DOM container element, executing JavaScript in the privileged Electron renderer context. The attack is enabled by a disabled Content Security Policy in the host context, which removes the browser-level barrier that would otherwise block inline event handler execution. Only v0.10.15 has been confirmed vulnerable by CERT-PL; no patch has been released, and the vulnerability status of all other versions remains unknown. No public exploit code has been identified and this CVE is not listed in the CISA KEV catalog.

XSS Authentication Bypass Logseq
NVD
EPSS 0% CVSS 4.6
MEDIUM This Month

Stored XSS in Logseq's plugin subsystem escalates to arbitrary code execution within the privileged Electron host context due to unsanitized innerHTML rendering of plugin metadata. When a user installs a malicious plugin whose package.json 'name' field contains a JavaScript payload, the payload executes with Electron's elevated privileges - a context in which Node.js APIs are accessible, making the effective impact closer to local code execution than a conventional browser-scoped XSS. Reported by CERT-PL, version v0.10.15 is confirmed vulnerable, no patch exists, and no public exploit has been identified at time of analysis.

XSS RCE Logseq
NVD
EPSS 0% CVSS 8.7
HIGH This Week

Arbitrary file read, write, and delete in the Logseq Electron desktop knowledge-management application is possible when an attacker can execute JavaScript inside the renderer process, because the preload script exposes an IPC bridge method that omits path validation. Version 0.10.15 has been confirmed vulnerable by CERT-PL, and because no patch was released the status of other releases is unverified. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

XSS Logseq
NVD
EPSS 0% CVSS 8.7
HIGH This Week

Command injection in Logseq desktop application enables remote code execution via shell metacharacter abuse in IPC-exposed command arguments. An attacker with JavaScript execution in the renderer process (through XSS or a malicious plugin) can bypass the command allowlist because arguments are concatenated and passed to child_process.spawn with shell:true, granting arbitrary OS command execution at the privileges of the Logseq process. No public exploit identified at time of analysis, but the issue was reported by CERT-PL and remains unpatched in versions beyond the tested v0.10.15.

XSS RCE Command Injection +1
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy