CVE-2026-47252: Anyquery: AppleScript/JXA Code Injection via Unescaped URL in macOS Chrome Plugin

The chrome_tabs plugin (and equivalent Brave/Edge/Safari variants) interpolates a SQL-controlled url value directly into an AppleScript template via fmt.Sprintf(newTabScript, url) at plugins/chrome/tabs.go:141 without any escaping, then passes the result to exec.Command("osascript", "-e", ...). An authenticated anyquery user who can issue SQL INSERT INTO chrome_tabs statements — which requires local CLI access — can break out of the {URL:"..."} property record with a newline-containing payload and inject arbitrary AppleScript statements, including do shell script, achieving OS-level command execution on the macOS host. The same pattern applies to the Update path at tabs.go:169 via the JXA setURL.js script.