CVE-2026-47899 - Vulnerability Details

- Arbitrary File Read, Write, Rename, and Delete in Logseq

Description

The Electron preload script in Logseq exposes an API method that allows the renderer process to invoke IPC handlers without proper path validation. An attacker with JavaScript execution in the renderer (e.g. via XSS or a malicious plugin), can read, write, or delete arbitrary files on the user's system.
While only version v0.10.15 was tested and confirmed as vulnerable, status of other versions is unknown since this issue was not addressed by a patch.

Published: 2026-06-09

Score: 8.7 High

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

The Electron preload script in Logseq exposes an IPC API that accepts file paths from the renderer process without validation. An attacker who can execute JavaScript in the renderer – for example by exploiting XSS or installing a malicious plugin – can read, overwrite or delete any file that the user’s account can access. This flaw belongs to CWE‑749 and effectively permits unauthorized file access, which could be leveraged to inject code or alter system state, impacting confidentiality, integrity and availability.

Affected Systems

Logseq is affected. Version 0.10.15 has been confirmed vulnerable, and the status of other releases remains unknown because no patch has yet been issued by the vendor. Until a fix is released, any installation that still pulls the vulnerable code path remains at risk.

Risk and Exploitability

The CVSS score of 8.7 categorises the issue as high severity. The exploitation route requires JavaScript execution inside the renderer, a scenario typically achieved through XSS or compromised plugins, so it is a contextual vector rather than a purely remote one. EPSS is not available and the vulnerability is not in CISA’s KEV catalog, yet the lack of a patch combined with the potential impact makes it a high‑priority concern. Any untrusted plugin or web content that can run JavaScript in the renderer should be treated as a possible vector for escalation.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

logseq

unknown

Version	Status	Constraints
`0`	affected	≤ 0.10.15

No data.

Vendor Product Confidence Versions

Logseq

100%

Version	Status	Scheme	Platform
`[0,0.10.15]`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade Logseq to the newest release that contains the fix as soon as it is published
Remove or disable untrusted or third‑party plugins, and grant plugin installation only to verified packages
Enforce a strict content‑security policy in the renderer and sanitise any user‑provided file paths before they reach IPC handlers

Generated by OpenCVE AI on June 9, 2026 at 15:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Attack Vector Local

Attack Complexity Low

Privileges Required None

Attack Requirements Present

User Interaction None

Vulnerable System Confidentiality Impact High

Vulnerable System Integrity Impact High

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact High

Subsequent System Integrity Impact High

Subsequent System Availability Impact None

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Exploitation none

Automatable no

Technical Impact total

References

Link	Providers
https://cert.pl/en/posts/2026/06/CVE-2026-9279/
https://logseq.com/

History

Tue, 09 Jun 2026 16:30:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Tue, 09 Jun 2026 15:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Logseq Logseq logseq
Vendors & Products		Logseq Logseq logseq

Tue, 09 Jun 2026 14:15:00 +0000

Type	Values Removed	Values Added
Description		The Electron preload script in Logseq exposes an API method that allows the renderer process to invoke IPC handlers without proper path validation. An attacker with JavaScript execution in the renderer (e.g. via XSS or a malicious plugin), can read, write, or delete arbitrary files on the user's system. While only version v0.10.15 was tested and confirmed as vulnerable, status of other versions is unknown since this issue was not addressed by a patch.
Title		Arbitrary File Read, Write, Rename, and Delete in Logseq
Weaknesses		CWE-749
References		https://cert.pl/en/posts/2026/06/CVE-2026-9279/ https://logseq.com/
Metrics		cvssV4_0 `{'score': 8.7, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N'}`

Subscriptions

Logseq Logseq

MITRE

Status: PUBLISHED

Assigner: CERT-PL

Published: 2026-06-09T13:23:44.532Z

Updated: 2026-06-09T14:39:12.823Z

Reserved: 2026-05-20T14:37:51.162Z

Link: CVE-2026-47899

Vulnrichment

Updated: 2026-06-09T14:39:07.332Z

NVD

Status : Deferred

Published: 2026-06-09T14:16:43.550

Modified: 2026-06-09T14:47:47.457

Link: CVE-2026-47899

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-09T15:30:08Z

Weaknesses

CWE-749

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity Low

Privileges Required None

Attack Requirements Present

User Interaction None

Vulnerable System Confidentiality Impact High

Vulnerable System Integrity Impact High

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact High

Subsequent System Integrity Impact High

Subsequent System Availability Impact None

Exploitation none

Automatable no

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object