CVE-2026-47252 - Anyquery browser plugin AppleScript/JXA injection

Anyquery browser plugins for Chrome, Brave, Edge, and Safari interpolated a SQL-controlled url value into AppleScript or JXA source before invoking osascript. A user who can issue INSERT or UPDATE statements against the browser tab virtual tables can supply URL text that changes the generated script and executes arbitrary AppleScript/JXA under the macOS user session.

This is a local-to-host code-execution boundary failure. It becomes more severe when Anyquery’s SQL interface is exposed over HTTP, used by agents, or run in a developer workstation session that has browser, filesystem, keychain, cloud, or repository credentials.

When to use it

Use this recipe when a repository embeds, vendors, wraps, configures, or documents Anyquery browser plugins for Chrome, Brave, Edge, or Safari, especially when SQL access is exposed to local agents, HTTP clients, shared workstations, or automation. It is a local-tool and agent-tool boundary recipe for preventing browser-tab mutation from becoming macOS script execution.

Do not use it to run AppleScript/JXA payloads. Use it to remove script-source interpolation, restrict write access, and document workstation/session review.

Inputs

  • go.mod, go.sum, vendored modules, forks, local plugin builds, MCP or agent tool configs, developer setup scripts, Dockerfiles, SBOMs, dependency reports, and docs that reference Anyquery browser plugins.
  • Custom code or forks containing osascript, AppleScript/JXA source, fmt.Sprintf, newTabScript, setURLScript, or SQL INSERT/UPDATE paths for browser tab virtual tables.
  • Exposure model for Anyquery: local-only CLI, HTTP server, shared workstation, CI/dev automation, MCP tool, or agent-accessible SQL interface.
  • Authorization and approval controls for writing to chrome_tabs, brave_tabs, edge_tabs, or safari_tabs.
  • Workstation/browser session authority: cookies, local files, keychain prompts, SSH/Git/cloud/package/model credentials, and environment variables.

Affected versions

Go module Vulnerable versions Fixed version
github.com/julien040/anyquery/plugins/brave <0.0.0-20240826075852-c651df0b8767 0.0.0-20240826075852-c651df0b8767+
github.com/julien040/anyquery/plugins/chrome <0.0.0-20240826075852-c651df0b8767 0.0.0-20240826075852-c651df0b8767+
github.com/julien040/anyquery/plugins/edge <0.0.0-20240826075852-c651df0b8767 0.0.0-20240826075852-c651df0b8767+
github.com/julien040/anyquery/plugins/safari <0.0.0-20240826075852-c651df0b8767 0.0.0-20240826075852-c651df0b8767+

Indicator-of-exposure

  • The repository depends on, vendors, forks, embeds, or packages affected Anyquery browser plugin modules.
  • Code invokes osascript with AppleScript or JXA source built by fmt.Sprintf, string concatenation, templates, or equivalent interpolation of SQL/user-controlled URL values.
  • Anyquery is used as an agent-accessible local data tool or is exposed through the Anyquery HTTP server.
  • Users or agents can run INSERT or UPDATE against browser tab tables such as chrome_tabs, brave_tabs, edge_tabs, or safari_tabs.
  • The macOS process has access to browser sessions, files, keychain prompts, SSH keys, Git credentials, cloud credentials, package tokens, or model keys.

Quick checks:

rg -n "anyquery|github.com/julien040/anyquery/plugins/(chrome|brave|edge|safari)|chrome_tabs|brave_tabs|edge_tabs|safari_tabs|osascript|AppleScript|JavaScript|JXA|fmt\\.Sprintf\\(.*Script|newTabScript|setURLScript" .
go list -m -json github.com/julien040/anyquery/plugins/chrome github.com/julien040/anyquery/plugins/brave github.com/julien040/anyquery/plugins/edge github.com/julien040/anyquery/plugins/safari
rg -n "INSERT INTO .*_tabs|UPDATE .*_tabs|anyquery.*server|--host|listen|http" scripts docs .github Dockerfile* . 2>/dev/null

Windows:

rg -n "anyquery|github.com/julien040/anyquery/plugins/(chrome|brave|edge|safari)|chrome_tabs|brave_tabs|edge_tabs|safari_tabs|osascript|AppleScript|JavaScript|JXA|fmt\\.Sprintf\\(.*Script|newTabScript|setURLScript" .
go list -m -json github.com/julien040/anyquery/plugins/chrome github.com/julien040/anyquery/plugins/brave github.com/julien040/anyquery/plugins/edge github.com/julien040/anyquery/plugins/safari
rg -n "INSERT INTO .*_tabs|UPDATE .*_tabs|anyquery.*server|--host|listen|http" scripts docs .github Dockerfile* .

Do not run osascript payloads, inject newline-bearing URLs, execute shell commands through AppleScript, or expose a real browser profile while validating.

Remediation strategy

  • Upgrade every controlled Anyquery browser plugin module, vendored copy, generated dependency report, SBOM, and developer tool image to 0.0.0-20240826075852-c651df0b8767+.
  • Remove direct interpolation of user-controlled values into AppleScript or JXA source. Prefer passing the URL as an osascript argument, using a structured variable-binding mechanism, or a small wrapper that never places URL bytes in executable script source.
  • Validate tab URLs before browser automation: allow only expected schemes such as https://, http://, and documented browser-internal schemes required by product behavior.
  • Restrict SQL write access to browser tab virtual tables when Anyquery is exposed through HTTP, agents, shared workstations, or automation.
  • Redact script text, URLs, command output, and environment values from errors and logs because rejected payloads may contain secrets or shell text.
  • Review agent/local-tool policies so browser-tab mutations require explicit approval on credential-bearing macOS workstations.

The prompt

You are remediating CVE-2026-47252 / GHSA-hrj8-hjv8-mgwc, a critical Anyquery
browser-plugin code injection issue where SQL-controlled URLs are interpolated
into AppleScript or JXA passed to `osascript`. Produce exactly one output:

- A reviewer-ready PR/change request that upgrades affected Anyquery browser
  plugins, removes script-source interpolation, restricts browser-tab write
  access, adds safe tests, refreshes generated artifacts, and documents
  operator cleanup, or
- TRIAGE.md if this repository does not control affected Anyquery browser
  plugins, forks, local-tool wrappers, agent integrations, or deployments.

## Rules

- Scope only CVE-2026-47252 / GHSA-hrj8-hjv8-mgwc and directly related browser
  plugin AppleScript/JXA execution boundaries.
- Treat browser sessions, cookies, local files, keychain prompts, SSH keys, Git
  credentials, cloud credentials, package tokens, model-provider keys, URLs,
  command output, and environment values as sensitive.
- Do not run exploit URLs, invoke injected shell or JXA, open real browser
  profiles with attacker-controlled input, or print generated script bodies
  containing untrusted input.
- Do not remove browser plugin functionality, SQL authorization, audit logs, or
  agent approval controls just to silence the advisory.
- Do not auto-merge.

## Steps

1. Inventory every controlled Anyquery browser-plugin reference: `go.mod`,
   `go.sum`, vendored modules, forks, local plugin builds, MCP/agent tool
   configs, Dockerfiles, developer setup scripts, HTTP server config, generated
   dependency reports, SBOMs, and docs.
2. Determine every resolved plugin version for
   `github.com/julien040/anyquery/plugins/chrome`,
   `github.com/julien040/anyquery/plugins/brave`,
   `github.com/julien040/anyquery/plugins/edge`, and
   `github.com/julien040/anyquery/plugins/safari`. A target is vulnerable if
   it resolves below `0.0.0-20240826075852-c651df0b8767`.
3. Search for custom copies of `newTabScript`, `setURLScript`, `osascript`,
   `fmt.Sprintf`, string templates, or SQL `INSERT`/`UPDATE` paths that place
   a URL into AppleScript or JXA source.
4. Determine whether Anyquery is exposed over HTTP, to local agents, to shared
   workstations, or to CI/dev automation where untrusted users can write to
   browser tab virtual tables.
5. If this repository does not control the affected plugin, fork, wrapper, or
   deployment, stop with `TRIAGE.md` listing checked files, external owner if
   known, and required fixed pseudo-version.
6. Upgrade all controlled browser plugin modules to
   `0.0.0-20240826075852-c651df0b8767+`. Refresh locks, vendor trees, generated
   reports, SBOMs, dev images, and docs.
7. For forks or equivalent local code, replace script-source interpolation:
   - pass URL values through `osascript` arguments or structured variable
     binding;
   - keep static AppleScript/JXA source separate from user-controlled bytes;
   - validate allowed URL schemes before invoking browser automation;
   - apply the same fix to both `INSERT` and `UPDATE` tab paths.
8. Restrict write access to browser tab virtual tables:
   - deny unauthenticated HTTP writes;
   - require explicit agent approval for tab mutation tools;
   - keep browser automation loopback/local unless a documented exception
     exists;
   - prevent CI or shared agents from mutating a user's real browser profile.
9. Add safe regression tests that do not execute injected commands:
   - vulnerable module versions are absent;
   - URLs containing quotes, newlines, carriage returns, or script delimiters
     are rejected or passed as inert data;
   - generated command arguments never contain untrusted URL bytes inside script
     source;
   - SQL write access is denied for unauthorized users or agents;
   - errors and logs do not print generated scripts, environment values, or
     credentials.
10. Add a PR body section named `CVE-2026-47252 operator actions` that states:
    - plugin versions before and after;
    - which browser plugin modules were present;
    - whether Anyquery HTTP or agent access could write browser tab tables;
    - whether real browser profiles, cookies, keychain prompts, or local files
      were reachable;
    - whether token, browser session, or workstation review is needed;
    - which validation commands passed.
11. Run available validation: `go test ./...`, plugin tests, SQL authorization
    tests, lint/static analysis, dependency install, container/dev-image build,
    SBOM refresh, and dependency/security scans.
12. Use PR title:
    `fix(sec): remediate CVE-2026-47252 in Anyquery browser plugins`.

## Stop conditions

- No affected Anyquery browser plugin, fork, local wrapper, or deployment is
  controlled by this repository.
- A fixed module cannot be consumed without a broader Anyquery/plugin migration.
- Browser-tab mutation is intentionally exposed to untrusted agents or HTTP
  clients; document the product/security decision needed in `TRIAGE.md`.
- Verification would require running injected AppleScript/JXA, shell commands,
  or real browser-profile automation with untrusted input.
- Validation fails for unrelated pre-existing reasons; document those failures
  instead of broadening scope.

Verification - what the reviewer looks for

  • No controlled module, vendor tree, image, SBOM, or generated report resolves affected Anyquery browser plugin versions.
  • URL values are never interpolated into executable AppleScript or JXA source.
  • Unsafe URL bytes are rejected or passed only as inert arguments.
  • Unauthorized users and agents cannot write to browser tab virtual tables.
  • Operator notes cover local browser session and workstation credential review when exposed Anyquery interfaces existed.

Watch for

  • Escaping only double quotes while leaving newlines, carriage returns, script delimiters, or JXA-specific injection paths untreated.
  • Fixing the INSERT path but leaving UPDATE or another browser plugin variant vulnerable.
  • Logging the generated AppleScript/JXA body after a rejected payload.
  • Exposing Anyquery’s HTTP SQL interface to agents without separate write authorization for browser tabs.

Output contract

Return one of:

  • A reviewer-ready PR/change request that upgrades affected Anyquery browser plugin modules, removes URL interpolation from executable script source, restricts browser-tab SQL writes, adds safe argument/authorization tests, refreshes generated artifacts, and documents operator cleanup.
  • TRIAGE.md when no controlled affected plugin, fork, local wrapper, agent integration, or deployment exists.

The output must list plugin versions before/after, browser modules in scope, whether HTTP or agent access can write tab tables, whether real browser profiles or credentials were reachable, validation commands, and workstation or browser-session review needs. It must not execute injected AppleScript/JXA, open real browser profiles with attacker input, print generated script bodies, or expose URLs/secrets from logs.

References