CVE-2026-47252 - Anyquery browser plugin AppleScript/JXA injection
Anyquery browser plugins for Chrome, Brave, Edge, and Safari interpolated a
SQL-controlled url value into AppleScript or JXA source before invoking
osascript. A user who can issue INSERT or UPDATE statements against the
browser tab virtual tables can supply URL text that changes the generated
script and executes arbitrary AppleScript/JXA under the macOS user session.
This is a local-to-host code-execution boundary failure. It becomes more severe when Anyquery’s SQL interface is exposed over HTTP, used by agents, or run in a developer workstation session that has browser, filesystem, keychain, cloud, or repository credentials.
When to use it
Use this recipe when a repository embeds, vendors, wraps, configures, or documents Anyquery browser plugins for Chrome, Brave, Edge, or Safari, especially when SQL access is exposed to local agents, HTTP clients, shared workstations, or automation. It is a local-tool and agent-tool boundary recipe for preventing browser-tab mutation from becoming macOS script execution.
Do not use it to run AppleScript/JXA payloads. Use it to remove script-source interpolation, restrict write access, and document workstation/session review.
Inputs
go.mod,go.sum, vendored modules, forks, local plugin builds, MCP or agent tool configs, developer setup scripts, Dockerfiles, SBOMs, dependency reports, and docs that reference Anyquery browser plugins.- Custom code or forks containing
osascript, AppleScript/JXA source,fmt.Sprintf,newTabScript,setURLScript, or SQLINSERT/UPDATEpaths for browser tab virtual tables. - Exposure model for Anyquery: local-only CLI, HTTP server, shared workstation, CI/dev automation, MCP tool, or agent-accessible SQL interface.
- Authorization and approval controls for writing to
chrome_tabs,brave_tabs,edge_tabs, orsafari_tabs. - Workstation/browser session authority: cookies, local files, keychain prompts, SSH/Git/cloud/package/model credentials, and environment variables.
Affected versions
| Go module | Vulnerable versions | Fixed version |
|---|---|---|
github.com/julien040/anyquery/plugins/brave |
<0.0.0-20240826075852-c651df0b8767 |
0.0.0-20240826075852-c651df0b8767+ |
github.com/julien040/anyquery/plugins/chrome |
<0.0.0-20240826075852-c651df0b8767 |
0.0.0-20240826075852-c651df0b8767+ |
github.com/julien040/anyquery/plugins/edge |
<0.0.0-20240826075852-c651df0b8767 |
0.0.0-20240826075852-c651df0b8767+ |
github.com/julien040/anyquery/plugins/safari |
<0.0.0-20240826075852-c651df0b8767 |
0.0.0-20240826075852-c651df0b8767+ |
Indicator-of-exposure
- The repository depends on, vendors, forks, embeds, or packages affected Anyquery browser plugin modules.
- Code invokes
osascriptwith AppleScript or JXA source built byfmt.Sprintf, string concatenation, templates, or equivalent interpolation of SQL/user-controlled URL values. - Anyquery is used as an agent-accessible local data tool or is exposed through the Anyquery HTTP server.
- Users or agents can run
INSERTorUPDATEagainst browser tab tables such aschrome_tabs,brave_tabs,edge_tabs, orsafari_tabs. - The macOS process has access to browser sessions, files, keychain prompts, SSH keys, Git credentials, cloud credentials, package tokens, or model keys.
Quick checks:
rg -n "anyquery|github.com/julien040/anyquery/plugins/(chrome|brave|edge|safari)|chrome_tabs|brave_tabs|edge_tabs|safari_tabs|osascript|AppleScript|JavaScript|JXA|fmt\\.Sprintf\\(.*Script|newTabScript|setURLScript" .
go list -m -json github.com/julien040/anyquery/plugins/chrome github.com/julien040/anyquery/plugins/brave github.com/julien040/anyquery/plugins/edge github.com/julien040/anyquery/plugins/safari
rg -n "INSERT INTO .*_tabs|UPDATE .*_tabs|anyquery.*server|--host|listen|http" scripts docs .github Dockerfile* . 2>/dev/null
Windows:
rg -n "anyquery|github.com/julien040/anyquery/plugins/(chrome|brave|edge|safari)|chrome_tabs|brave_tabs|edge_tabs|safari_tabs|osascript|AppleScript|JavaScript|JXA|fmt\\.Sprintf\\(.*Script|newTabScript|setURLScript" .
go list -m -json github.com/julien040/anyquery/plugins/chrome github.com/julien040/anyquery/plugins/brave github.com/julien040/anyquery/plugins/edge github.com/julien040/anyquery/plugins/safari
rg -n "INSERT INTO .*_tabs|UPDATE .*_tabs|anyquery.*server|--host|listen|http" scripts docs .github Dockerfile* .
Do not run osascript payloads, inject newline-bearing URLs, execute shell
commands through AppleScript, or expose a real browser profile while validating.
Remediation strategy
- Upgrade every controlled Anyquery browser plugin module, vendored copy,
generated dependency report, SBOM, and developer tool image to
0.0.0-20240826075852-c651df0b8767+. - Remove direct interpolation of user-controlled values into AppleScript or JXA
source. Prefer passing the URL as an
osascriptargument, using a structured variable-binding mechanism, or a small wrapper that never places URL bytes in executable script source. - Validate tab URLs before browser automation: allow only expected schemes such
as
https://,http://, and documented browser-internal schemes required by product behavior. - Restrict SQL write access to browser tab virtual tables when Anyquery is exposed through HTTP, agents, shared workstations, or automation.
- Redact script text, URLs, command output, and environment values from errors and logs because rejected payloads may contain secrets or shell text.
- Review agent/local-tool policies so browser-tab mutations require explicit approval on credential-bearing macOS workstations.
The prompt
You are remediating CVE-2026-47252 / GHSA-hrj8-hjv8-mgwc, a critical Anyquery
browser-plugin code injection issue where SQL-controlled URLs are interpolated
into AppleScript or JXA passed to `osascript`. Produce exactly one output:
- A reviewer-ready PR/change request that upgrades affected Anyquery browser
plugins, removes script-source interpolation, restricts browser-tab write
access, adds safe tests, refreshes generated artifacts, and documents
operator cleanup, or
- TRIAGE.md if this repository does not control affected Anyquery browser
plugins, forks, local-tool wrappers, agent integrations, or deployments.
## Rules
- Scope only CVE-2026-47252 / GHSA-hrj8-hjv8-mgwc and directly related browser
plugin AppleScript/JXA execution boundaries.
- Treat browser sessions, cookies, local files, keychain prompts, SSH keys, Git
credentials, cloud credentials, package tokens, model-provider keys, URLs,
command output, and environment values as sensitive.
- Do not run exploit URLs, invoke injected shell or JXA, open real browser
profiles with attacker-controlled input, or print generated script bodies
containing untrusted input.
- Do not remove browser plugin functionality, SQL authorization, audit logs, or
agent approval controls just to silence the advisory.
- Do not auto-merge.
## Steps
1. Inventory every controlled Anyquery browser-plugin reference: `go.mod`,
`go.sum`, vendored modules, forks, local plugin builds, MCP/agent tool
configs, Dockerfiles, developer setup scripts, HTTP server config, generated
dependency reports, SBOMs, and docs.
2. Determine every resolved plugin version for
`github.com/julien040/anyquery/plugins/chrome`,
`github.com/julien040/anyquery/plugins/brave`,
`github.com/julien040/anyquery/plugins/edge`, and
`github.com/julien040/anyquery/plugins/safari`. A target is vulnerable if
it resolves below `0.0.0-20240826075852-c651df0b8767`.
3. Search for custom copies of `newTabScript`, `setURLScript`, `osascript`,
`fmt.Sprintf`, string templates, or SQL `INSERT`/`UPDATE` paths that place
a URL into AppleScript or JXA source.
4. Determine whether Anyquery is exposed over HTTP, to local agents, to shared
workstations, or to CI/dev automation where untrusted users can write to
browser tab virtual tables.
5. If this repository does not control the affected plugin, fork, wrapper, or
deployment, stop with `TRIAGE.md` listing checked files, external owner if
known, and required fixed pseudo-version.
6. Upgrade all controlled browser plugin modules to
`0.0.0-20240826075852-c651df0b8767+`. Refresh locks, vendor trees, generated
reports, SBOMs, dev images, and docs.
7. For forks or equivalent local code, replace script-source interpolation:
- pass URL values through `osascript` arguments or structured variable
binding;
- keep static AppleScript/JXA source separate from user-controlled bytes;
- validate allowed URL schemes before invoking browser automation;
- apply the same fix to both `INSERT` and `UPDATE` tab paths.
8. Restrict write access to browser tab virtual tables:
- deny unauthenticated HTTP writes;
- require explicit agent approval for tab mutation tools;
- keep browser automation loopback/local unless a documented exception
exists;
- prevent CI or shared agents from mutating a user's real browser profile.
9. Add safe regression tests that do not execute injected commands:
- vulnerable module versions are absent;
- URLs containing quotes, newlines, carriage returns, or script delimiters
are rejected or passed as inert data;
- generated command arguments never contain untrusted URL bytes inside script
source;
- SQL write access is denied for unauthorized users or agents;
- errors and logs do not print generated scripts, environment values, or
credentials.
10. Add a PR body section named `CVE-2026-47252 operator actions` that states:
- plugin versions before and after;
- which browser plugin modules were present;
- whether Anyquery HTTP or agent access could write browser tab tables;
- whether real browser profiles, cookies, keychain prompts, or local files
were reachable;
- whether token, browser session, or workstation review is needed;
- which validation commands passed.
11. Run available validation: `go test ./...`, plugin tests, SQL authorization
tests, lint/static analysis, dependency install, container/dev-image build,
SBOM refresh, and dependency/security scans.
12. Use PR title:
`fix(sec): remediate CVE-2026-47252 in Anyquery browser plugins`.
## Stop conditions
- No affected Anyquery browser plugin, fork, local wrapper, or deployment is
controlled by this repository.
- A fixed module cannot be consumed without a broader Anyquery/plugin migration.
- Browser-tab mutation is intentionally exposed to untrusted agents or HTTP
clients; document the product/security decision needed in `TRIAGE.md`.
- Verification would require running injected AppleScript/JXA, shell commands,
or real browser-profile automation with untrusted input.
- Validation fails for unrelated pre-existing reasons; document those failures
instead of broadening scope.
Verification - what the reviewer looks for
- No controlled module, vendor tree, image, SBOM, or generated report resolves affected Anyquery browser plugin versions.
- URL values are never interpolated into executable AppleScript or JXA source.
- Unsafe URL bytes are rejected or passed only as inert arguments.
- Unauthorized users and agents cannot write to browser tab virtual tables.
- Operator notes cover local browser session and workstation credential review when exposed Anyquery interfaces existed.
Watch for
- Escaping only double quotes while leaving newlines, carriage returns, script delimiters, or JXA-specific injection paths untreated.
- Fixing the
INSERTpath but leavingUPDATEor another browser plugin variant vulnerable. - Logging the generated AppleScript/JXA body after a rejected payload.
- Exposing Anyquery’s HTTP SQL interface to agents without separate write authorization for browser tabs.
Output contract
Return one of:
- A reviewer-ready PR/change request that upgrades affected Anyquery browser plugin modules, removes URL interpolation from executable script source, restricts browser-tab SQL writes, adds safe argument/authorization tests, refreshes generated artifacts, and documents operator cleanup.
TRIAGE.mdwhen no controlled affected plugin, fork, local wrapper, agent integration, or deployment exists.
The output must list plugin versions before/after, browser modules in scope, whether HTTP or agent access can write tab tables, whether real browser profiles or credentials were reachable, validation commands, and workstation or browser-session review needs. It must not execute injected AppleScript/JXA, open real browser profiles with attacker input, print generated script bodies, or expose URLs/secrets from logs.
Related recipes
References
- GitHub Advisory Database: https://github.com/advisories/GHSA-hrj8-hjv8-mgwc
- Source repository: https://github.com/julien040/anyquery