Skip to main content

Trilium Notes CVE-2026-39311

| EUVDEUVD-2026-31173 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-05-20 GitHub_M
6.8
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
6.8 MEDIUM
AV:N/AC:H/PR:H/UI:R/S:C/C:L/I:L/A:H

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:L/I:L/A:H
Attack Vector
Network
Attack Complexity
High
Privileges Required
High
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
High

Lifecycle Timeline

3
Source Code Evidence Fetched
May 20, 2026 - 20:04 vuln.today
Analysis Generated
May 20, 2026 - 20:04 vuln.today
Patch available
May 20, 2026 - 20:02 EUVD

DescriptionGitHub Advisory

Trilium Notes is a cross-platform, hierarchical note taking application focused on building large personal knowledge bases. Versions 0.102.1 and prior contain a critical security flaw where lack of SVG sanitization combined with a disabled Content Security Policy (CSP) and a publicly reachable backend execution API results in an unauthenticated Remote Code Execution (RCE). The vulnerability arises from an insecure-by-design architecture: Trilium serves SVG attachments with the image/svg+xml MIME type without any sanitization, and it explicitly disables Helmet's Content Security Policy middleware, removing the primary defense against script execution in served assets. Because the malicious SVG runs under the Same-Origin Policy, it can issue a fetch('/') to extract the csrfToken from the document body. With that token, it can send a signed request to /api/script/exec to execute arbitrary Node.js code on the server. An attacker can compromise the entire server instance simply by tricking an authenticated user into viewing a shared SVG attachment. The issue has been fixed in version 0.102.2.

AnalysisAI

Stored XSS-to-RCE chain in Trilium Notes versions 0.102.1 and prior allows a network attacker to execute arbitrary Node.js code on the server by tricking an authenticated user into viewing a malicious SVG attachment. The vulnerability exploits three compounding design flaws - unsanitized SVG serving with the image/svg+xml MIME type, a deliberately disabled Content Security Policy, and an unauthenticated-from-same-origin script execution endpoint at /api/script/exec - enabling full server compromise through a single user interaction. No public exploit code or CISA KEV listing has been identified at time of analysis, but the detailed disclosure in the GitHub security advisory provides a near-complete attack recipe; EPSS data was not available in the provided intelligence.

Technical ContextAI

Trilium Notes (cpe:2.3:a:triliumnext:trilium:*:*:*:*:*:*:*:*) is a Node.js-based hierarchical knowledge base application. The root cause is CWE-79 (Improper Neutralization of Input During Web Page Generation / Cross-site Scripting), specifically stored XSS via SVG attachments. When browsers fetch an SVG served with the Content-Type image/svg+xml as a top-level document - rather than as an embedded img element - they execute any embedded script tags. Trilium's backend serves SVG attachments with this MIME type without stripping JavaScript, and Helmet's CSP middleware is explicitly disabled in the application, removing the primary browser-side defense against inline script execution. Because the malicious SVG is served from the application's own origin, the Same-Origin Policy permits the embedded JavaScript to read the application's DOM (extracting a CSRF token from the page body) and issue credentialed fetch requests to backend API endpoints. The /api/script/exec endpoint accepts a CSRF-signed POST and executes arbitrary Node.js code server-side, completing the escalation from stored XSS to full server-side code execution.

RemediationAI

Upgrade immediately to Trilium Notes v0.102.2, which the vendor release notes at https://github.com/TriliumNext/Trilium/releases/tag/v0.102.2 describe as containing 'important security fixes' and which specifically addresses SVG handling in share routes and the main API, re-enables content security controls, and hardens the Electron desktop application. The vendor strongly encourages updating before the next scheduled release. No workarounds that fully mitigate the chained attack are documented by the vendor. As a partial compensating control while patching, operators can restrict access to Trilium's share routes at the network or reverse-proxy layer - blocking unauthenticated external access to share URLs prevents untrusted parties from delivering the malicious SVG to authenticated users, though this does not protect against insider-threat scenarios where an internal attacker has upload access. Disabling the /api/script/exec endpoint is not straightforward without code changes and would break legitimate scripting functionality.

CVE-2024-55591 CRITICAL POC
9.8 Jan 14

FortiOS and FortiProxy contain an authentication bypass via the Node.js websocket module allowing unauthenticated remote

CVE-2014-7205 CRITICAL POC
10.0 Oct 08

Eval injection vulnerability in the internals.batch function in lib/batch.js in the bassmaster plugin before 1.5.2 for t

CVE-2025-59528 CRITICAL POC
10.0 Sep 22

Flowise version 3.0.5 contains a remote code execution vulnerability in the CustomMCP node. The mcpServerConfig paramete

CVE-2017-14849 HIGH POC
7.5 Sep 28

Node.js 8.5.0 before 8.6.0 allows remote attackers to access unintended files, because a change to ".." handling was inc

CVE-2017-5941 CRITICAL POC
9.8 Feb 09

An issue was discovered in the node-serialize package 0.0.4 for Node.js. Rated critical severity (CVSS 9.8), this vulner

CVE-2014-3744 HIGH POC
7.5 Oct 23

Directory traversal vulnerability in the st module before 0.2.5 for Node.js allows remote attackers to read arbitrary fi

CVE-2014-9566 HIGH POC
7.5 Mar 10

Multiple SQL injection vulnerabilities in the Manage Accounts page in the AccountManagement.asmx service in the Solarwin

CVE-2013-4660 MEDIUM POC
6.8 Jun 28

The JS-YAML module before 2.0.5 for Node.js parses input without properly considering the unsafe !!js/function tag, whic

CVE-2015-5688 MEDIUM POC
5.0 Sep 04

Directory traversal vulnerability in lib/app/index.js in Geddy before 13.0.8 for Node.js allows remote attackers to read

CVE-2026-45321 CRITICAL POC
9.6 May 12

Credential-harvesting malware compromised 84 versions of 42 TanStack npm packages on 2026-05-11 via chained GitHub Actio

CVE-2014-7192 CRITICAL POC
10.0 Dec 11

Eval injection vulnerability in index.js in the syntax-error package before 1.1.1 for Node.js 0.10.x, as used in IBM Rat

CVE-2013-4450 MEDIUM POC
5.0 Oct 21

The HTTP server in Node.js 0.10.x before 0.10.21 and 0.8.x before 0.8.26 allows remote attackers to cause a denial of se

Share

CVE-2026-39311 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy