CVE-2026-9279

Name of the Vulnerable Software and Affected Versions Logseq version 0.10.15

Description An OS command injection flaw exists in the IPC handler, which allows the renderer process to execute shell commands. Although an allowlist restricts command names to specific tools such as git, pandoc, and grep, the argument string is concatenated with the command and passed to the child process.spawn() function with the shell: true option. This configuration allows shell metacharacters within the arguments to bypass the allowlist. An attacker capable of executing JavaScript in the renderer, such as through Cross-Site Scripting (XSS) in note content or a malicious plugin, can execute arbitrary shell commands with the privileges of the Logseq process, resulting in remote code execution on the host.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.