logo

Vulnerabilities in Logseq software

ID: 70ee8611-6c2e-5661-bc4f-0e766ea6bef7

STIX ID: report--70ee8611-6c2e-5661-bc4f-0e766ea6bef7

Feed Name: CERT Polska

Threat Score
75/100

Date Published: 2026-06-09

Date Updated: 2026-06-09

Author: CERT Polska

...
...

CERT Polska coordinated disclosure of four vulnerabilities in Logseq (through v0.10.15): an IPC handler command-injection leading to remote code execution (CVE-2026-9279), an insecure IPC/preload API allowing arbitrary file read/write/delete (CVE-2026-47899), a stored XSS via plugin package.json name rendering (CVE-2026-47900), and a sandbox escape due to disabled CSP allowing privileged JS execution (CVE-2026-47901). The flaws can be triggered by malicious plugins or renderer JavaScript (e.g., XSS) and grant attacker control or filesystem access under the Logseq process; disclosure credited to Bartłomiej Dmitruk and coordinated by CERT Polska.

Your team is not currently subscribed to this feed. You must subscribe to it in order to see this post.