AppleScript/JXA Code Injection via Unescaped URL in macOS Chrome Plugin
A high-severity vulnerability (CVE-2026-47252) exists in the AnyQuery plugin, allowing an authenticated user to inject arbitrary AppleScript statements via an unescaped URL in the macOS Chrome plugin, leading to OS-level command execution.