Bartłomiej Dmitruk

**Name of the Vulnerable Software and Affected Versions** Logseq version 0.10.15 **Description** The Electron preload script exposes an API method that allows the renderer process to invoke IPC (Inter-Process Communication) handlers without proper path validation. An attacker capable of executing JavaScript in the renderer, such as through a malicious plugin or Cross-Site Scripting (XSS), can read, write, or delete arbitrary files on the local system. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Logseq version 0.10.15 **Description** A stored cross-site scripting (XSS) issue exists where a malicious plugin can include a JavaScript payload in the `name` field of its `package.json` file. This occurs because the field is rendered using `innerHTML` without proper sanitization, enabling the execution of arbitrary code within the privileged host context. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Logseq is vulnerable to a sandbox escape flaw where plugins running in sandboxed iframes can inject arbitrary HTML attributes, such as event handlers, into their container element in the host DOM. Due to a disabled Content Security Policy (CSP), this allows a malicious plugin to execute arbitrary JavaScript in the privileged host context, potentially gaining unauthorized access to filesystem APIs. While only version v0.10.15 was tested and confirmed as vulnerable, status of other versions is unknown since this issue was not addressed by a patch.

**Name of the Vulnerable Software and Affected Versions** Logseq version 0.10.15 **Description** An OS command injection flaw exists in the IPC handler, which allows the renderer process to execute shell commands. Although an allowlist restricts command names to specific tools such as `git`, `pandoc`, and `grep`, the argument string is concatenated with the command and passed to the `child process.spawn()` function with the `shell: true` option. This configuration allows shell metacharacters within the arguments to bypass the allowlist. An attacker capable of executing JavaScript in the renderer, such as through Cross-Site Scripting (XSS) in note content or a malicious plugin, can execute arbitrary shell commands with the privileges of the Logseq process, resulting in remote code execution on the host. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Ollama for Windows versions 0.12.10 through 0.17.5 **Description** Ollama for Windows fails to verify the integrity or authenticity of downloaded update executables. The update verification routine on Windows unconditionally returns success, bypassing digital signature and trust validation before update payloads are staged or executed. This allows attacker-supplied executables to be accepted and executed. Because the application performs silent automatic updates, malicious payloads can be installed without user awareness. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Ollama for Windows versions 0.12.10 through 0.17.5 **Description** The update mechanism in Ollama for Windows allows Remote Code Execution due to improper handling of attacker-controlled HTTP response headers. The application constructs local file paths using values from these headers without validation, passing them to the `filepath.Join()` function. This enables path traversal using sequences like `../` to write files outside the intended update staging directory. An attacker capable of influencing update responses can write arbitrary executables to locations accessible to the current user, such as the Windows Startup directory. When combined with a lack of signature verification for updates, malicious payloads can be delivered, written to sensitive locations, and executed automatically and persistently without user interaction, as the software performs silent automatic updates. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.