CVE-2026-45668 CRITICAL

CVE-2026-45668: Trilium Notes : Note Import to RCE via #docName Path Traversal (Safe Import Enabled)

Vendor Triliumnext
Product Trilium
Weakness CWE-22 · Path traversal
Published May 29, 2026
Last update May 29, 2026

CVSS base score

9.3/10
Attack vector Local
Attack complexity Low
Privileges required None
User interaction
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

What the vulnerability does

01Description

Trilium Notes is a cross-platform, hierarchical note taking application focused on building large personal knowledge bases. Prior to 0.102.2, a malicious ZIP archive imported with safe import enabled achieves RCE via #docName path traversal and XSS by combining a payload note (type: code, mime: text/plain) containing raw HTML/JS and a trigger note (type: doc or type: launcher) with a #docName label that uses ../ path traversal to point at the payload note's API endpoint. The desktop client Electron renderer runs with nodeIntegration enabled, so an RCE is triggered once the payload is executed. This vulnerability is fixed in 0.102.2.

Key dates

02Disclosure timeline

May 29, 2026 CVE published
May 29, 2026 Record updated