Logseq Flaws Enable XSS-to-RCE and Arbitrary File Access
CERT Polska disclosed four vulnerabilities in Logseq affecting releases through 0.10.15, including an OS command injection flaw, an exposed dangerous function that permits arbitrary file operations, a stored XSS issue in plugin metadata, and a sandbox escape that can lead to privileged JavaScript execution. The vulnerabilities were reported by Bartłomiej Dmitruk of striga.ai and published after coordinated disclosure.
The issues can be chained so that an attacker who gains JavaScript execution in the renderer—through stored XSS or a malicious plugin—can escalate to arbitrary shell command execution or unauthorized access to files on the host system. CERT Polska said v0.10.15 was tested and confirmed vulnerable for one issue, while the status of other versions remained unclear because the vendor had not yet addressed the problems.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
2 events from the most recent confirmed update back to the earliest known activity.
CVE-2026-41031 received for Vinna Process Monitor stored XSS
A new CVE entry for a stored cross-site scripting vulnerability in Vinna Process Monitor was received by info@cert.vde.com. The flaw affects Version 4.0 Service Pack 1 (Build 63255) and could allow a low-privileged authenticated attacker to inject JavaScript and steal administrative tokens or session credentials.
CERT Polska publishes four Logseq vulnerability disclosures
CERT Polska disclosed four vulnerabilities affecting Logseq, including OS command injection, arbitrary file operations, stored XSS in plugin metadata, and a sandbox escape. The notice says all were published on 2026-06-09 and that releases through 0.10.15 are affected, with only v0.10.15 tested for one issue.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
4 references tracked. Mallory keeps watching after this page renders.
CVE-2026-41031 - A Stored Cross-Site Scripting (XSS) vulnerability occurs in Vinna Process Monitor
cvefeed.io
Open sourceCVE-2026-9279 - Shell command injection in Logseq
cvefeed.io
Open sourceCVE-2026-47899 - Arbitrary File Read, Write, Rename, and Delete in Logseq
cvefeed.io
Open sourceVulnerabilities in Logseq software | CERT Polska
cert.pl
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Three LMS Flaws Expose Databases and Enable Command Injection
CERT Polska disclosed three vulnerabilities in **LMS (LAN Management System)**, including two high-severity issues tracked as `CVE-2026-40455` and `CVE-2026-40456`. The first is an authenticated SQL injection in `tarifflist.php` before commit `4cb30a7`, caused by insufficient sanitization of the POST `tg[]` parameter and unsafe query construction with `implode()`, allowing attackers to extract sensitive database information. The second is an OS command injection before commit `9fcb4de`, where an IP address parameter is passed to `exec()` without proper validation, enabling arbitrary operating system command execution. CERT Polska also reported `CVE-2026-40457`, a reflected XSS flaw in `dbrecover.php` and `netremap.php` before commit `9c5651b` that can trigger arbitrary JavaScript execution when an authenticated user opens a crafted link under certain conditions. The SQL injection and command injection bugs were both rated **High** with CVSS 4.0 base scores of **8.6**, and the disclosure credited **Tymoteusz Dominik** for responsibly reporting the issues. Organizations running LMS versions prior to the referenced commits should prioritize patching and review exposure of authenticated administrative functions.
Jun 29, 2026
LogStash Flaws Expose Data and Enable Arbitrary Code Execution
German government CERT advisories disclosed two security flaws in **LogStash**, including one that can lead to **information disclosure** and another that allows **arbitrary code execution** in the context of the LogStash service. The code-execution issue is the more severe of the two, as successful exploitation could let an attacker run unauthorized commands with the privileges assigned to the service. The paired advisories indicate that affected LogStash deployments face both confidentiality and system-compromise risks, making exposed or unpatched instances a priority for remediation. Organizations using LogStash should identify vulnerable installations, apply vendor fixes or mitigations, and review service permissions and monitoring data for signs of exploitation or abnormal access.
Jun 29, 2026
Multiple Bludit CMS Flaws Enable RCE, XSS, and Session Hijacking
CERT Polska disclosed four vulnerabilities in the Bludit content management system, including an unrestricted file upload flaw tracked as **CVE-2026-25099** that can lead to remote code execution, a stored XSS issue in image upload handling (**CVE-2026-25100**), a session fixation weakness that can enable session hijacking (**CVE-2026-25101**), and a separate stored XSS flaw in page creation tracked as **CVE-2026-4420**. The vulnerabilities were reported by researchers Arkadiusz Marta and Yassin Abdelrazek and affect multiple Bludit versions, with **CVE-2026-25099** impacting all releases before `3.18.4`, **CVE-2026-25101** affecting versions before `3.17.2`, **CVE-2026-25100** affecting all versions through `3.18.2`, and **CVE-2026-4420** confirmed in `3.17.2` and `3.18.0`. The XSS flaws can be exploited by authenticated users with content or page creation privileges by injecting malicious JavaScript into uploaded SVG content or article tags, with payloads executing when victims access publicly reachable resources without authentication. CERT Polska said the page-creation XSS could be used to automatically create a new site administrator if the victim has sufficient privileges, while the file upload issue could allow direct server-side compromise through remote code execution. The agency also said vendor coordination was incomplete, noting the vendor stopped responding or did not provide details on remediation and affected version ranges, raising uncertainty over whether some future releases may remain vulnerable.
Jun 29, 2026