CVE-2026-9279

Vulnerability

Logseq versions up to and including v0.10.15 are vulnerable to OS command injection. An IPC handler intended to execute specific commands like git, pandoc, or grep concatenates user-supplied arguments directly with the command and passes them to child_process.spawn with shell: true. This allows shell metacharacters within the arguments to bypass the command allowlist [1].

Exploitation

An attacker requires JavaScript execution within the Logseq renderer process, which can be achieved through cross-site scripting (XSS) vulnerabilities or a malicious Logseq plugin. Once JavaScript execution is achieved, the attacker can craft arguments containing shell metacharacters to inject arbitrary commands. These commands are then executed with the privileges of the Logseq application process [1].

Impact

Successful exploitation allows an attacker to execute arbitrary shell commands on the host system with the same privileges as the Logseq process. This can lead to remote code execution (RCE) and a full compromise of the affected machine, depending on the privileges Logseq is running with [1].

Mitigation

No patch has been released to address this vulnerability, and the status of versions beyond v0.10.15 is unknown. Therefore, no fixed version is available. Users are advised to be cautious with plugins and external inputs that could lead to JavaScript execution within Logseq [1].