CVE-2026-9279
Deferred Deferred - Pending Action
Remote Code Execution in Logseq via IPC Handler

Publication date: 2026-06-09

Last updated on: 2026-06-09

Assigner: CERT.PL

Description
Logseq exposes an IPC handler that allows the renderer process to execute shell commands. While an allowlist restricts the command name (e.g. `git`, `pandoc`, `grep`), the argument string is concatenated with the command and passed to `child_process.spawn` with the `shell: true` option, allowing shell metacharacters in the arguments to bypass the allowlist. An attacker with JavaScript execution in the renderer (e.g. via XSS or a malicious plugin) can execute arbitrary shell commands with the privileges of the Logseq process, leading to remote code execution on the host. While only version v0.10.15 was tested and confirmed as vulnerable, status of other versions is unknown since this issue was not addressed by a patch.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-09
Last Modified
2026-06-09
Generated
2026-06-09
AI Q&A
2026-06-09
EPSS Evaluated
N/A
NVD
CVE-2026-9279
EUVD
EUVD-2026-35435
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
logseq logseq 0.10.15
logseq logseq to 0.10.15 (exc)
logseq logseq to 0.10.15 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-78 The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Detection Guidance

This vulnerability involves an IPC handler in Logseq that allows execution of shell commands with arguments that can include shell metacharacters, leading to remote code execution if an attacker has JavaScript execution in the renderer process.

Detection on your system or network would involve monitoring for suspicious shell command executions originating from the Logseq process, especially commands that include unusual or unexpected shell metacharacters.

Since the vulnerability requires JavaScript execution in the renderer (e.g., via XSS or malicious plugins), checking for installed plugins or scripts that could inject such payloads is also important.

Specific commands to detect exploitation attempts might include:

  • Using process monitoring tools (e.g., `ps aux | grep logseq`) to identify suspicious child processes spawned by Logseq.
  • Using system audit tools (e.g., `auditctl` on Linux) to log executions of shell commands spawned by Logseq.
  • Searching for suspicious plugin files or modifications in Logseq's plugin directories.
  • Network monitoring for unusual outbound connections initiated by Logseq processes.
Executive Summary

This vulnerability in Logseq involves an IPC handler that allows the renderer process to execute shell commands. Although there is an allowlist restricting which command names can be run (such as 'git', 'pandoc', 'grep'), the arguments passed to these commands are concatenated and executed with shell metacharacters enabled. This means an attacker who can run JavaScript in the renderer process (for example, through cross-site scripting or a malicious plugin) can bypass the allowlist by injecting shell metacharacters in the arguments, leading to arbitrary shell command execution with the privileges of the Logseq process.

Impact Analysis

The vulnerability allows an attacker with JavaScript execution capabilities in the renderer process to execute arbitrary shell commands on the host system with the same privileges as the Logseq process. This can lead to remote code execution, potentially allowing the attacker to take control of the affected system, access sensitive data, modify files, or perform other malicious actions.

Mitigation Strategies

Immediate mitigation steps include:

  • Avoid using Logseq version 0.10.15 or earlier, as these are confirmed vulnerable and no patch is available.
  • Disable or remove any untrusted or suspicious plugins that could inject JavaScript into the renderer process.
  • Restrict or monitor the execution privileges of the Logseq process to limit potential damage from exploitation.
  • Implement application-level controls to prevent JavaScript injection or execution within Logseq.
  • Monitor system logs and processes for unusual activity related to Logseq.
Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-9279. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart