Critical severity9.6OSV Advisory· Published Oct 9, 2025· Updated Apr 15, 2026
CVE-2025-56683
CVE-2025-56683
Description
A cross-site scripting (XSS) vulnerability in the component /app/marketplace.html of Logseq v0.10.9 allows attackers to execute arbitrary code via injecting arbitrary Javascript into a crafted README.md file.
Affected products
1Patches
14cdf49aedd8dfix(plugins): avoid xss for the injected readme html content
3 files changed · +4 −2
gulpfile.js+1 −0 modified@@ -72,6 +72,7 @@ const common = { 'node_modules/react-dom/umd/react-dom.production.min.js', 'node_modules/react-dom/umd/react-dom.development.js', 'node_modules/prop-types/prop-types.min.js', + 'node_modules/dompurify/dist/purify.js', ]).pipe(gulp.dest(path.join(outputPath, 'js'))), () => gulp.src([ 'node_modules/@tabler/icons-react/dist/umd/tabler-icons-react.min.js',
resources/marketplace.html+2 −1 modified@@ -69,6 +69,7 @@ <body> <div id="app"></div> <script src="./js/marked.min.js"></script> +<script src="./js/purify.js"></script> <script> ;(async function () { const app = document.getElementById('app') @@ -131,7 +132,7 @@ } content = marked.parse(content).replace('src="./', `src="${fixLink('')}`) - setContent(content) + setContent(DOMPurify.sanitize(content)) } // load default
src/main/frontend/components/plugins.cljs+1 −1 modified@@ -202,7 +202,7 @@ (rum/defc remote-readme-display [{:keys [repo]} _content] - (let [src (str (if (string/includes? js/location.href "logseq") + (let [src (str (if (string/includes? js/location.host "logseq") "./static/" "./") "marketplace.html?repo=" repo)] [:iframe.lsp-frame-readme {:src src}]))
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
3News mentions
0No linked articles in our index yet.