CVE-2026-47901
Deferred Deferred - Pending Action

Sandbox Escape via CSP Bypass in Logseq

Publication date: 2026-06-09

Last updated on: 2026-06-09

Assigner: CERT.PL

Description
Logseq is vulnerable to a sandbox escape flaw where plugins running in sandboxed iframes can inject arbitrary HTML attributes, such as event handlers, into their container element in the host DOM. Due to a disabled Content Security Policy (CSP), this allows a malicious plugin to execute arbitrary JavaScript in the privileged host context, potentially gaining unauthorized access to filesystem APIs. While only version v0.10.15 was tested and confirmed as vulnerable, status of other versions is unknown since this issue was not addressed by a patch.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-09
Last Modified
2026-06-09
Generated
2026-06-30
AI Q&A
2026-06-10
EPSS Evaluated
2026-06-28
NVD
CVE-2026-47901
EUVD
EUVD-2026-35438

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
logseq logseq to 0.10.15 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Mitigation Strategies

Since the vulnerability arises from plugins running in sandboxed iframes injecting arbitrary HTML attributes due to a disabled Content Security Policy (CSP), immediate mitigation steps include:

  • Avoid installing or running untrusted or unknown plugins in Logseq.
  • Disable or remove any suspicious plugins that might have been installed.
  • Consider restricting plugin installation permissions or running Logseq in a more isolated environment.
  • Monitor for updates or patches from Logseq that address this vulnerability and apply them once available.
Executive Summary

This vulnerability in Logseq involves a sandbox escape flaw where plugins running inside sandboxed iframes can inject arbitrary HTML attributes, including event handlers, into their container element within the host DOM.

Because the Content Security Policy (CSP) is disabled, a malicious plugin can exploit this to execute arbitrary JavaScript code in the privileged host context.

This allows the attacker to potentially gain unauthorized access to filesystem APIs, which should normally be restricted.

Impact Analysis

The vulnerability can allow a malicious plugin to execute arbitrary JavaScript code with elevated privileges in the host environment.

This could lead to unauthorized access to filesystem APIs, potentially exposing or modifying sensitive files on the user's system.

Such unauthorized access can compromise the confidentiality and integrity of user data.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-47901. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart