CVE-2026-47900
Deferred Deferred - Pending Action
Stored XSS in Logseq via Malicious Plugin Package.json

Publication date: 2026-06-09

Last updated on: 2026-06-09

Assigner: CERT.PL

Description
Logseq is vulnerable to a stored cross-site scripting (XSS). A malicious plugin can include a JavaScript payload in the "name" field of its "package.json" file, which is rendered using "innerHTML" without proper sanitization, allowing the execution of arbitrary code in the privileged host context. While only version v0.10.15 was tested and confirmed as vulnerable, status of other versions is unknown since this issue was not addressed by a patch.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-09
Last Modified
2026-06-09
Generated
2026-06-15
AI Q&A
2026-06-09
EPSS Evaluated
2026-06-14
NVD
CVE-2026-47900
EUVD
EUVD-2026-35437
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
logseq logseq to 0.10.15 (exc)
logseq logseq to 0.10.15 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-47900 is a stored cross-site scripting (XSS) vulnerability in Logseq software affecting all versions up to and including 0.10.15.

A malicious plugin can insert a JavaScript payload into the "name" field of its package.json file.

This name field is rendered using innerHTML without proper sanitization, which allows the malicious JavaScript code to execute in the privileged host context.

This means an attacker who can install plugins can inject malicious scripts that run with elevated privileges.

Impact Analysis

This vulnerability allows an attacker who can install plugins to execute arbitrary code within the privileged host context.

As a result, the attacker could compromise the system by running malicious scripts, potentially leading to data theft, unauthorized actions, or system manipulation.

Detection Guidance

This vulnerability can be detected by inspecting installed plugins for malicious JavaScript payloads in the "name" field of their package.json files. Since the issue arises from the rendering of this field using innerHTML without sanitization, checking plugin package.json files for suspicious or unexpected script content is essential.

There are no specific commands provided in the available resources to detect this vulnerability automatically.

Mitigation Strategies

Immediate mitigation steps include avoiding the installation of untrusted or unknown plugins, as the vulnerability requires an attacker to install a malicious plugin.

Since no patch addressing this issue is available and only version 0.10.15 was confirmed vulnerable, consider restricting plugin installation or usage until a fix is released.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-47900. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart