CVE-2026-9279
Gravedad CVSS v4.0:
ALTA
Tipo:
CWE-78
Neutralización incorrecta de elementos especiales usados en un comando de sistema operativo (Inyección de comando de sistema operativo)
Fecha de publicación:
09/06/2026
Última modificación:
09/06/2026
Descripción
*** Pendiente de traducción *** Logseq exposes an IPC handler that allows the renderer process to execute shell commands. While an allowlist restricts the command name (e.g. `git`, `pandoc`, `grep`), the argument string is concatenated with the command and passed to `child_process.spawn` with the `shell: true` option, allowing shell metacharacters in the arguments to bypass the allowlist. An attacker with JavaScript execution in the renderer (e.g. via XSS or a malicious plugin) can execute arbitrary shell commands with the privileges of the Logseq process, leading to remote code execution on the host.<br />
While only version v0.10.15 was tested and confirmed as vulnerable, status of other versions is unknown since this issue was not addressed by a patch.
Impacto
Puntuación base 4.0
8.70
Gravedad 4.0
ALTA



