Remote Code Execution in Trilium Notes Application by TriliumNext
CVE-2026-39311

6.8MEDIUM

Key Information:

Vendor: Triliumnext
Status: Trilium
Vendor: CVE Published:; 20 May 2026

🔔 Create Triliumnext Vulnerability Alert

What is CVE-2026-39311?

Trilium Notes, a versatile hierarchical note-taking application, is vulnerable due to a design flaw that allows unauthenticated remote code execution. The issue is caused by the lack of sanitization for SVG files and a disabled Content Security Policy (CSP). Consequently, if an attacker can deceive an authenticated user into viewing a compromised SVG attachment, they can exploit the vulnerability to execute arbitrary Node.js code on the server. This can lead to a complete server compromise, making it imperative for users to update to version 0.102.2, which addresses and resolves this serious security issue.

Affected Version(s)

Trilium < 0.102.2

References

https://github.com/TriliumNext/Trilium/security/advisorie...

x_refsource_CONFIRM

https://github.com/TriliumNext/Trilium/releases/tag/v0.102.2

x_refsource_MISC

CVSS V3.1

Score:

6.8

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

High

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 20, 2026
Vulnerability Reserved
Apr 6, 2026

CVE-2026-39311 Data

JSON