CVE-2026-47899
Deferred Deferred - Pending Action
Electron Preload Script Path Validation Bypass in Logseq

Publication date: 2026-06-09

Last updated on: 2026-06-09

Assigner: CERT.PL

Description
The Electron preload script in Logseq exposes an API method that allows the renderer process to invoke IPC handlers without proper path validation. An attacker with JavaScript execution in the renderer (e.g. via XSS or a malicious plugin), can read, write, or delete arbitrary files on the user's system. While only version v0.10.15Β was tested and confirmed as vulnerable, status of other versions is unknown since this issue was not addressed by a patch.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-09
Last Modified
2026-06-09
Generated
2026-06-09
AI Q&A
2026-06-09
EPSS Evaluated
N/A
NVD
CVE-2026-47899
EUVD
EUVD-2026-35436
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
logseq logseq to 0.10.15 (exc)
logseq logseq to 0.10.15 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-749 The product provides an Applications Programming Interface (API) or similar interface for interaction with external actors, but the interface includes a dangerous method or function that is not properly restricted.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The vulnerability exists in the Electron preload script used by Logseq. It exposes an API method that allows the renderer process to invoke IPC handlers without proper path validation.

This means that if an attacker can execute JavaScript in the renderer process (for example, through cross-site scripting (XSS) or a malicious plugin), they can exploit this flaw to read, write, or delete arbitrary files on the user's system.

Impact Analysis

This vulnerability can have serious impacts because it allows an attacker with JavaScript execution capabilities in the renderer process to manipulate files on your system without restriction.

  • An attacker could read sensitive files, potentially exposing private data.
  • They could write or modify files, which might lead to data corruption or the introduction of malicious code.
  • They could delete important files, causing data loss or application malfunction.
Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-47899. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart