Full Report
CERT Polska has received a report about 4 vulnerabilities (CVE-2026-9279 and from CVE-2026-47899 to CVE-2026-47901) found in Logseq software.
Analysis Summary
# Vulnerability: Multiple Critical Flaws in Logseq
## CVE Details
- **CVE ID:** CVE-2026-9279, CVE-2026-47899, CVE-2026-47900, CVE-2026-47901
- **CVSS Score:** Not explicitly provided in source (High/Critical potential)
- **CWE:**
- CWE-78: OS Command Injection
- CWE-749: Exposed Dangerous Method or Function
- CWE-79: Cross-site Scripting (XSS)
## Affected Systems
- **Products:** Logseq (Desktop application)
- **Versions:** All versions through 0.10.15
- **Configurations:** Systems where third-party plugins are installed or where untrusted content is rendered.
## Vulnerability Description
Four distinct vulnerabilities were identified in the Logseq desktop application:
1. **CVE-2026-9279 (OS Command Injection):** Logseq’s IPC handler allows the renderer process to execute commands like `git` or `grep`. However, because it uses `child_process.spawn` with `shell: true` and concatenates unsanitized arguments, an attacker can use shell metacharacters to execute arbitrary system commands.
2. **CVE-2026-47899 (Path Validation Bypass):** The Electron preload script lacks proper path validation. This allows a compromised renderer to invoke IPC handlers that can read, write, or delete arbitrary files on the host filesystem.
3. **CVE-2026-47900 (Stored XSS via Plugin Metadata):** Logseq fails to sanitize the `name` field in a plugin's `package.json`. When this metadata is rendered using `innerHTML`, it allows for the execution of arbitrary JavaScript in the host context.
4. **CVE-2026-47901 (Sandbox Escape):** Plugins in sandboxed iframes can inject HTML attributes (like event handlers) into their container elements. Combined with a disabled Content Security Policy (CSP), this allows a malicious plugin to escape its sandbox and gain host-level privileges.
## Exploitation
- **Status:** PoC described in advisory; no confirmed reports of exploitation in the wild at the time of publication.
- **Complexity:** Medium (Requires a mechanism for JS execution, such as a malicious plugin or XSS).
- **Attack Vector:** Network (via malicious community plugins) or Local.
## Impact
- **Confidentiality:** High (Total access to local files and system data).
- **Integrity:** High (Ability to modify/delete files and execute arbitrary commands).
- **Availability:** High (Potential for system-wide compromise or data deletion).
## Remediation
### Patches
- As of the publication date (June 09, 2026), the vendor has **not addressed** these issues. Version 0.10.15 is confirmed vulnerable, and subsequent versions should be treated as potentially vulnerable until an official patch is announced.
### Workarounds
- **Disable/Uninstall Plugins:** Exercise extreme caution with third-party plugins. Only install plugins from trusted sources.
- **Limit Network Exposure:** Avoid opening untrusted Logseq graphs or files from unknown sources.
- **Filesystem Permissions:** Run the application with the minimum necessary user privileges to limit the impact of a command injection.
## Detection
- **Indicators of Compromise:** Unusual child processes spawned by Logseq (e.g., `cmd.exe`, `/bin/sh`, or network tools not initiated by the user).
- **Detection methods:** Monitor for unauthorized file access to sensitive directories by the Logseq process. Audit installed plugins for suspicious `package.json` names or scripts.
## References
- [https://cert[.]pl/en/posts/2026/06/vulnerabilities-in-logseq-software/]
- [https://www[.]cve[.]org/CVERecord?id=CVE-2026-9279]
- [https://www[.]cve[.]org/CVERecord?id=CVE-2026-47899]
- [https://www[.]cve[.]org/CVERecord?id=CVE-2026-47900]
- [https://www[.]cve[.]org/CVERecord?id=CVE-2026-47901]