Triliumnext Trilium vulnerabilities
7 known vulnerabilities affecting triliumnext/trilium.
Total CVEs
7
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
CRITICAL1HIGH3MEDIUM3
Vulnerabilities
Page 1 of 1
CVE-2026-39310P2HIGHCVSS 8.6fixed in 0.102.22026-05-20
CVE-2026-39310 [HIGH] CWE-284 CVE-2026-39310: Trilium Notes is a cross-platform, hierarchical note taking application focused on building large pe
Trilium Notes is a cross-platform, hierarchical note taking application focused on building large personal knowledge bases. In versions 0.102.1 and prior, the Clipper API in Trilium Desktop (v0.101.3) allows full authentication bypass when running in an Electron environment. When Trilium detects an Electron environment, it explicitly disables authenti
nvd
CVE-2025-68621P3HIGHCVSS 7.4fixed in 0.101.02026-02-06
CVE-2025-68621 [HIGH] CWE-208 CVE-2025-68621: Trilium Notes is an open-source, cross-platform hierarchical note taking application with focus on b
Trilium Notes is an open-source, cross-platform hierarchical note taking application with focus on building large personal knowledge bases. Prior to 0.101.0, a critical timing attack vulnerability in Trilium's sync authentication endpoint allows unauthenticated remote attackers to recover HMAC authentication hashes byte-by-byte through statistical tim
nvd
CVE-2025-53544P3HIGHCVSS 7.5fixed in 0.97.02025-08-05
CVE-2025-53544 [HIGH] CWE-307 CVE-2025-53544: Trilium Notes is an open-source, cross-platform hierarchical note taking application with focus on b
Trilium Notes is an open-source, cross-platform hierarchical note taking application with focus on building large personal knowledge bases. In versions below 0.97.0, a brute-force protection bypass in the initial sync seed retrieval endpoint allows unauthenticated attackers to guess the login password without triggering rate limiting. Trilium is a sin
nvd
CVE-2026-35593P3MEDIUMCVSS 6.8fixed in 0.102.22026-05-20
CVE-2026-35593 [MEDIUM] CWE-22 CVE-2026-35593: Trilium Notes is an open-source, cross-platform hierarchical note taking application for building la
Trilium Notes is an open-source, cross-platform hierarchical note taking application for building large personal knowledge bases. Versions 0.102.1 and prior are vulnerable to Local File Inclusion, allowing an authenticated attacker to read sensitive arbitrary files from the server's filesystem. The uploadModifiedFileToAttachment function, which is ca
nvd
CVE-2026-45668P3CRITICALCVSS 9.3fixed in 0.102.22026-05-29
CVE-2026-45668 [CRITICAL] CWE-22 CVE-2026-45668: Trilium Notes is a cross-platform, hierarchical note taking application focused on building large pe
Trilium Notes is a cross-platform, hierarchical note taking application focused on building large personal knowledge bases. Prior to 0.102.2, a malicious ZIP archive imported with safe import enabled achieves RCE via #docName path traversal and XSS by combining a payload note (type: code, mime: text/plain) containing raw HTML/JS and a trigger note
nvd
CVE-2026-39311P3MEDIUMCVSS 6.8fixed in 0.102.22026-05-20
CVE-2026-39311 [MEDIUM] CWE-79 CVE-2026-39311: Trilium Notes is a cross-platform, hierarchical note taking application focused on building large pe
Trilium Notes is a cross-platform, hierarchical note taking application focused on building large personal knowledge bases. Versions 0.102.1 and prior contain a critical security flaw where lack of SVG sanitization combined with a disabled Content Security Policy (CSP) and a publicly reachable backend execution API results in an unauthenticated Remot
nvd
CVE-2026-39309P4MEDIUMCVSS 5.5fixed in 0.102.22026-05-20
CVE-2026-39309 [MEDIUM] CWE-290 CVE-2026-39309: Trilium Notes is a cross-platform, hierarchical note taking application focused on building large pe
Trilium Notes is a cross-platform, hierarchical note taking application focused on building large personal knowledge bases. In versions 0.102.1 and prior, the Electron configuration is vulnerable to TCC Bypass via Prompt Spoofing, allowing local attackers to trigger misleading macOS permission prompts by running malicious code under the identity of
nvd