Brute-Force Protection Bypass in Trilium Notes Affects Open-Source Note Taking Software
CVE-2025-53544

7.5HIGH

Key Information:

Vendor: Triliumnext
Status: Trilium
Vendor: CVE Published:; 5 August 2025

🔔 Create Triliumnext Vulnerability Alert

What is CVE-2025-53544?

Trilium Notes is an open-source, cross-platform hierarchical note-taking application designed for creating large personal knowledge bases. In versions prior to 0.97.0, a flaw was identified in the initial sync seed retrieval endpoint that allows unauthenticated attackers to bypass brute-force protections. This vulnerability enables an attacker to guess login passwords without triggering any rate limiting mechanisms. Given that Trilium is a single-user application1 without a requirement for usernames, the potential for exploitation increases significantly. The application offers features that could expose it to the internet, such as multi-factor authentication and note sharing capabilities. The issue has been addressed in version 0.97.0.