CVE-2026-45668

Trilium Notes : Note Import to RCE via #docName Path Traversal (Safe Import Enabled)

Assigner: GitHub_M
Reserved: 12.05.2026 Published: 29.05.2026 Updated: 29.05.2026

Trilium Notes is a cross-platform, hierarchical note taking application focused on building large personal knowledge bases. Prior to 0.102.2, a malicious ZIP archive imported with safe import enabled achieves RCE via #docName path traversal and XSS by combining a payload note (type: code, mime: text/plain) containing raw HTML/JS and a trigger note (type: doc or type: launcher) with a #docName label that uses ../ path traversal to point at the payload note's API endpoint. The desktop client Electron renderer runs with nodeIntegration enabled, so an RCE is triggered once the payload is executed. This vulnerability is fixed in 0.102.2.

Metrics

CVSS Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
CVSS Score: 9.3

Exploitability Metrics		Vulnerable System Impact Metrics		Subsequent System Impact Metrics
Attack Vector	Local	Confidentiality	High	Confidentiality	High
Attack Complexity	Low	Integrity	High	Integrity	High
Attack Requirements	None	Availability	High	Availability	High
Privileges Required	None
User Interaction	Active

CVSS 4.0

Product Status

Vendor	TriliumNext
Product	Trilium
Versions	Version < 0.102.2 is affected

Vendor

TriliumNext

Product

Trilium

Versions

Version < 0.102.2 is affected

References

Problem Types

CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CWE
CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE

CVE-2026-45668 PUBLISHED

Trilium Notes : Note Import to RCE via #docName Path Traversal (Safe Import Enabled)

Metrics

Product Status

References

Problem Types