# [CRIT] [GHSA / CRITICAL] CVE-2026-47252: Anyquery: AppleScript/JXA Code Injection via Unescaped URL in macOS Chrome Plugin **Source:** GitHub Security Advisories **Published:** 2026-06-08 **Article:** https://github.com/advisories/GHSA-hrj8-hjv8-mgwc ## Threat Profile Anyquery: AppleScript/JXA Code Injection via Unescaped URL in macOS Chrome Plugin # AppleScript/JXA Code Injection via Unescaped URL in macOS Chrome Plugin | Field | Value | | ---------------- | ----- | | Repository | julien040/anyquery | | Affected version | 0.4.4 (commit 0abd460) | | Vulnerability | CWE-94 — Improper Control of Generation of Code | | Severity | High | ## Summary The `chrome_tabs` plugin (and equivalent Brave/Edge/Safari variants) interpolates a … ## Indicators of Compromise (high-fidelity only) - **CVE:** `CVE-2026-47252` ## MITRE ATT&CK Techniques - **T1190** — Exploit Public-Facing Application - **T1204.002** — User Execution: Malicious File - **T1059.002** — Command and Scripting Interpreter: AppleScript ## Kill chain phases observed _(none detected from narrative keywords)_ ## Recommended hunts ### osascript invoked with AppleScript breakout pattern (mismatched tell blocks + do shell script) `UC_97_2` · phase: **exploit** · confidence: **High** · AI-generated for this article **Splunk SPL (CIM):** ```spl | tstats `summariesonly` count min(_time) as firstTime max(_time) as lastTime values(Processes.process) as process values(Processes.parent_process) as parent_process values(Processes.parent_process_name) as parent_process_name from datamodel=Endpoint.Processes where Processes.process_name=osascript Processes.process="*do shell script*" Processes.process="*end tell*" Processes.process="*tell application*" by Processes.dest Processes.user Processes.process_name Processes.process_id | `drop_dm_object_name(Processes)` | where like(process, "%tell application%tell application%") OR match(parent_process_name, "(?i)anyquery") OR match(parent_process, "(?i)anyquery") | convert ctime(firstTime) ctime(lastTime) ``` **Defender KQL:** ```kql DeviceProcessEvents | where Timestamp > ago(7d) | where DeviceInfo_OSPlatform == "macOS" or FolderPath has "/usr/bin/osascript" | where FileName =~ "osascript" | where ProcessCommandLine has "do shell script" | where ProcessCommandLine has "end tell" | where ProcessCommandLine has "tell application" | extend TellOpeners = countof(tolower(ProcessCommandLine), "tell application") | where TellOpeners >= 2 or InitiatingProcessFileName has "anyquery" or InitiatingProcessCommandLine has "anyquery" or InitiatingProcessFolderPath has "anyquery" | project Timestamp, DeviceName, AccountName, InitiatingProcessFileName, InitiatingProcessFolderPath, InitiatingProcessCommandLine, FileName, ProcessCommandLine, SHA256, ProcessId | order by Timestamp desc ``` ### Article-specific behavioural hunt — [GHSA / CRITICAL] CVE-2026-47252: Anyquery: AppleScript/JXA Code Injection via U `UC_97_1` · phase: **exploit** · confidence: **High** **Splunk SPL (CIM):** ```spl ``` Article-specific bespoke detection — [GHSA / CRITICAL] CVE-2026-47252: Anyquery: AppleScript/JXA Code Injection via U ``` | tstats `summariesonly` count earliest(_time) AS firstTime latest(_time) AS lastTime from datamodel=Endpoint.Processes where (Processes.process_name IN ("seturl.js")) by Processes.dest, Processes.user, Processes.process_name, Processes.process, Processes.parent_process_name, Processes.process_path | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | append [ | tstats `summariesonly` count from datamodel=Endpoint.Filesystem where Filesystem.action IN ("created","modified") AND (Filesystem.file_name IN ("seturl.js")) by Filesystem.dest, Filesystem.user, Filesystem.process_name, Filesystem.file_path, Filesystem.file_name | `drop_dm_object_name(Filesystem)` ] ``` **Defender KQL:** ```kql // Article-specific bespoke detection — [GHSA / CRITICAL] CVE-2026-47252: Anyquery: AppleScript/JXA Code Injection via U // Hunts the actual binaries / paths / commandline fragments named // in the article instead of a generic technique-class template. DeviceProcessEvents | where Timestamp > ago(30d) | where (FileName in~ ("seturl.js")) | project Timestamp, DeviceName, AccountName, FileName, FolderPath, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine | order by Timestamp desc // File-creation events for the named binaries / paths DeviceFileEvents | where Timestamp > ago(30d) | where ActionType in ("FileCreated","FileModified") | where (FileName in~ ("seturl.js")) | project Timestamp, DeviceName, AccountName, FolderPath, FileName, ActionType, InitiatingProcessFileName, InitiatingProcessCommandLine | order by Timestamp desc ``` ### IOC-driven hunts (use shared templates) These are standard IOC-substitution hunts — the canonical SPL and KQL live once in [`_TEMPLATES.md`](../_TEMPLATES.md), so we don't repeat the same boilerplate on every CVE / hash / network-IOC briefing. - **Asset exposure — vulnerability matches article CVE(s)** ([template](../_TEMPLATES.md#asset-exposure)) — phase: **recon**, confidence: **High** - CVE(s): `CVE-2026-47252` ## Why this matters Severity classified as **CRIT** based on: CVE present, 3 use case(s) fired, 3 technique(s) inferred. Read the full article for actor attribution, tooling details, and any defanged IOCs in the body that aren't visible in the RSS summary.