CVE-2026-47901
Description
Logseq plugins can escape sandboxed iframes by injecting HTML attributes, leading to arbitrary JavaScript execution and potential filesystem access.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Logseq plugins can escape sandboxed iframes by injecting HTML attributes, leading to arbitrary JavaScript execution and potential filesystem access.
Vulnerability
Logseq versions up to and including v0.10.15 are affected by a sandbox escape vulnerability. Plugins running within sandboxed iframes can inject arbitrary HTML attributes, such as event handlers, into their containing element in the host DOM. This is exacerbated by a disabled Content Security Policy (CSP) [1].
Exploitation
An attacker needs to create a malicious Logseq plugin. This plugin, when installed and run by a victim, can inject HTML attributes into its iframe container. Due to the disabled CSP, these injected attributes can trigger arbitrary JavaScript execution in the privileged host context of Logseq.
Impact
Successful exploitation allows a malicious plugin to execute arbitrary JavaScript in the host context, potentially leading to unauthorized access to filesystem APIs and other sensitive operations within Logseq.
Mitigation
Logseq has not yet released a patch for this vulnerability, and the status of versions beyond v0.10.15 is unknown. No workarounds are currently disclosed [1].
AI Insight generated on Jun 9, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.
References
2News mentions
0No linked articles in our index yet.