Description
Logseq exposes an IPC handler that allows the renderer process to execute shell commands. While an allowlist restricts the command name (e.g. `git`, `pandoc`, `grep`), the argument string is concatenated with the command and passed to `child_process.spawn` with the `shell: true` option, allowing shell metacharacters in the arguments to bypass the allowlist. An attacker with JavaScript execution in the renderer (e.g. via XSS or a malicious plugin) can execute arbitrary shell commands with the privileges of the Logseq process, leading to remote code execution on the host.
While only version v0.10.15 was tested and confirmed as vulnerable, status of other versions is unknown since this issue was not addressed by a patch.
Published: 2026-06-09
Score: 8.7 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Logseq exposes an insecure inter‑process communication (IPC) interface that allows the renderer process to run shell commands. The handler restricts the command name to a whitelist (git, pandoc, grep), but it concatenates unsanitized argument strings and then passes them to child_process.spawn with shell:true, so shell metacharacters can bypass the allow list. An attacker who can execute JavaScript in the renderer, such as through a cross‑site scripting vector or a malicious plugin, can run arbitrary shell commands with the permissions of the Logseq process, achieving remote code execution on the host machine.

Affected Systems

The vulnerability has been confirmed only in Logseq version 0.10.15. It is unclear whether earlier or later releases are affected. No other vendor or product is reported to be impacted.

Risk and Exploitability

The CVSS base score is 8.7, indicating high severity. Because the attack requires JavaScript execution inside Logseq, the likelihood of exploitation depends on the presence of XSS flaws or exposed plugin mechanisms; without such a vector the risk is lower, but when present it can lead to full system compromise. The EPSS score is unavailable, so the probability of exploitation in the wild is uncertain. The vulnerability is not listed in the CISA KEV catalog.

Generated by OpenCVE AI on June 9, 2026 at 15:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Restrict or disable JavaScript execution in the Logseq renderer, such as by blocking third‑party plugins or using a safe‑mode configuration, to eliminate the attacker’s ability to inject payloads.
  • Run Logseq with the lowest privilege level that still allows normal usage—preferably a non‑administrator user account—so that any shell command executed under the RCE has limited access.
  • Monitor the Logseq process for the creation of child processes or the execution of shell commands using system monitoring or security software, and investigate any unexpected activity.
  • Keep an eye on the vendor’s security advisories and apply a patch or a newer version of Logseq as soon as the issue is resolved.

Generated by OpenCVE AI on June 9, 2026 at 15:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 09 Jun 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 09 Jun 2026 15:45:00 +0000

Type Values Removed Values Added
First Time appeared Logseq
Logseq logseq
Vendors & Products Logseq
Logseq logseq

Tue, 09 Jun 2026 14:15:00 +0000

Type Values Removed Values Added
Description Logseq exposes an IPC handler that allows the renderer process to execute shell commands. While an allowlist restricts the command name (e.g. `git`, `pandoc`, `grep`), the argument string is concatenated with the command and passed to `child_process.spawn` with the `shell: true` option, allowing shell metacharacters in the arguments to bypass the allowlist. An attacker with JavaScript execution in the renderer (e.g. via XSS or a malicious plugin) can execute arbitrary shell commands with the privileges of the Logseq process, leading to remote code execution on the host. While only version v0.10.15 was tested and confirmed as vulnerable, status of other versions is unknown since this issue was not addressed by a patch.
Title Shell command injection in Logseq
Weaknesses CWE-78
References
Metrics cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N'}

Subscriptions

Logseq Logseq
cve-icon MITRE

Status: PUBLISHED

Assigner: CERT-PL

Published:

Updated: 2026-06-09T14:38:15.131Z

Reserved: 2026-05-22T13:55:56.770Z

Link: CVE-2026-9279

cve-icon Vulnrichment

Updated: 2026-06-09T14:38:10.701Z

cve-icon NVD

Status : Deferred

Published: 2026-06-09T14:16:45.773

Modified: 2026-06-09T14:47:47.457

Link: CVE-2026-9279

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-09T15:30:08Z

Weaknesses