Remote Code Execution and XSS in Trilium Notes by Trilium Labs
CVE-2026-45668

9.3CRITICAL

Key Information:

Vendor: Triliumnext
Status: Trilium
Vendor: CVE Published:; 29 May 2026

🔔 Create Triliumnext Vulnerability Alert

What is CVE-2026-45668?

Trilium Notes, a cross-platform hierarchical note-taking application, is susceptible to remote code execution (RCE) and cross-site scripting (XSS) vulnerabilities. Prior to version 0.102.2, an attacker could exploit a malicious ZIP archive with safe import enabled. This exploit utilized a combination of path traversal techniques and crafted payload notes, which when executed in the Electron renderer (with nodeIntegration enabled), allowed for unauthorized access to the application’s API and the execution of arbitrary code. Users are encouraged to update to the latest version to mitigate these security risks.

Affected Version(s)

Trilium < 0.102.2

References

https://github.com/TriliumNext/Trilium/security/advisorie...

x_refsource_CONFIRM

CVSS V4

Score:

9.3

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 29, 2026
Vulnerability Reserved
May 12, 2026

CVE-2026-45668 Data

JSON