CVE-2026-47899

Vulnerability

The Electron preload script in Logseq versions up to and including v0.10.15 exposes an API method that allows the renderer process to invoke IPC handlers without proper path validation [1]. This vulnerability resides within the Electron preload script's handling of API methods invoked from the renderer process.

Exploitation

An attacker with JavaScript execution within the Logseq renderer process, achievable through methods such as Cross-Site Scripting (XSS) or a malicious plugin, can exploit this vulnerability. The attacker would need to call the exposed API method with specially crafted arguments to bypass path validation and trigger arbitrary file operations.

Impact

Successful exploitation allows an attacker to read, write, or delete arbitrary files on the user's system. The scope of the compromise is limited to the privileges of the Logseq application running on the user's machine.

Mitigation

Logseq version v0.10.15 has been confirmed as vulnerable, and the status of other versions is unknown as no patch has been released to address this issue [1]. Information regarding a fixed version, workarounds, or end-of-life status is not yet disclosed in the available references.