Logseq IPC Command Injection Vulnerability Allowing Remote Code Execution

Vulnerability

A vulnerability in Logseq versions through 0.10.15 allows for arbitrary shell command execution via an inter-process communication (IPC) handler. The renderer process can execute commands with the Logseq process's privileges, leading to remote code execution on the host. This issue arises because, although an allowlist restricts command names to certain utilities like git and grep, the argument strings can include shell metacharacters that bypass this restriction. An attacker with JavaScript execution capabilities in the renderer, such as through cross-site scripting (XSS) or a malicious plugin, can exploit this vulnerability.

Impact

Exploitation of this vulnerability allows for arbitrary shell command execution on the host system, with the same privileges as the Logseq process.

Added: Jun 9, 2026, 2:38 PM

Updated: Jun 9, 2026, 2:38 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

7.5

exploitability

6.0

remediation

0.0

relevance

9.6

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

7.5

exploitability

6.0

remediation

0.0

relevance

9.6

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Logseq IPC Command Injection Vulnerability Allowing Remote Code Execution

Vulnerability

Impact

Affected Products

Logseq

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating