Description
Logseq is vulnerable to a stored cross-site scripting (XSS). A malicious plugin can include a JavaScript payload in the "name" field of its "package.json" file, which is rendered using "innerHTML" without proper sanitization, allowing the execution of arbitrary code in the privileged host context.
While only version v0.10.15 was tested and confirmed as vulnerable, status of other versions is unknown since this issue was not addressed by a patch.
Published: 2026-06-09
Score: 4.6 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A plugin packaged in Logseq can place arbitrary JavaScript in the package.json field named "name", and that field is rendered with innerHTML in the interface without any sanitization. The payload is stored and executed when the interface loads, allowing a malicious plugin to run code with the same privileges as the host application. This stored XSS can lead to the theft of user data, session hijacking, or more severe attacks if the host context is privileged.

Affected Systems

The vulnerability was confirmed in Logseq version v0.10.15. No official patch has been released, and the impact on later or earlier releases is not documented. Users running the affected version or a future version that still uses the same unsanitized rendering path are potentially at risk; anyone who installs a malicious plugin could trigger the attacker code.

Risk and Exploitability

The score of 4.6 indicates moderate severity, and the EPSS is currently not available. The vulnerability is not recorded in the CISA KEV catalog. Likely the attack vector is installation of a malicious or compromised plugin by a user; once the plugin is loaded the XSS payload executes automatically. There are no known public exploits and mitigation is mainly to avoid installing untrusted plugins or to update Logseq when a fix is released.

Generated by OpenCVE AI on June 9, 2026 at 15:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Verify that all installed plugins come from trusted or signed sources and reject any package whose package.json contains a unsanitized "name" field.
  • Disable or uninstall the Logseq plugin system until the vendor releases a security fix, preventing new package metadata from being rendered.
  • Monitor the Logseq release channel for an update that addresses the unsanitized metadata rendering and upgrade as soon as it becomes available.

Generated by OpenCVE AI on June 9, 2026 at 15:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 09 Jun 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 09 Jun 2026 16:15:00 +0000

Type Values Removed Values Added
First Time appeared Logseq
Logseq logseq
Vendors & Products Logseq
Logseq logseq

Tue, 09 Jun 2026 14:15:00 +0000

Type Values Removed Values Added
Description Logseq is vulnerable to a stored cross-site scripting (XSS). A malicious plugin can include a JavaScript payload in the "name" field of its "package.json" file, which is rendered using "innerHTML" without proper sanitization, allowing the execution of arbitrary code in the privileged host context. While only version v0.10.15 was tested and confirmed as vulnerable, status of other versions is unknown since this issue was not addressed by a patch.
Title Stored XSS via Unsanitized Plugin Metadata in Logseq
Weaknesses CWE-79
References
Metrics cvssV4_0

{'score': 4.6, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Logseq Logseq
cve-icon MITRE

Status: PUBLISHED

Assigner: CERT-PL

Published:

Updated: 2026-06-09T14:39:50.413Z

Reserved: 2026-05-20T14:37:51.162Z

Link: CVE-2026-47900

cve-icon Vulnrichment

Updated: 2026-06-09T14:39:47.191Z

cve-icon NVD

Status : Deferred

Published: 2026-06-09T14:16:43.700

Modified: 2026-06-09T14:47:47.457

Link: CVE-2026-47900

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-09T16:15:08Z

Weaknesses