CVE-2026-47900

Vulnerability

Logseq versions up to and including v0.10.15 are vulnerable to stored cross-site scripting (XSS). A malicious plugin can inject a JavaScript payload into the name field of its package.json file. This payload is then rendered using innerHTML without adequate sanitization, leading to the execution of arbitrary code within the privileged host context [1].

Exploitation

An attacker can exploit this vulnerability by creating a malicious Logseq plugin. The plugin's package.json file must contain a JavaScript payload within the name field. When this plugin is installed and its package.json is processed by Logseq, the unsanitized innerHTML rendering will execute the payload [1].

Impact

Successful exploitation allows an attacker to execute arbitrary JavaScript code within the privileged host context of Logseq. This can lead to various security compromises, including data theft, unauthorized actions, or further system compromise, depending on the privileges of the Logseq application [1].

Mitigation

Logseq versions up to and including v0.10.15 are affected. The available references indicate that this issue was not addressed by a patch, and the status of other versions is unknown [1]. No fixed version or workaround is disclosed in the provided references.