How is CVE-2026-45668 exploited?

Network reachability (not-required): The CVSS vector lists AV:L, meaning the attacker delivers the malicious ZIP locally (typically a file the victim imports into their Trilium client) rather than reaching the application over the network. Authentication (not-required): PR:N indicates no attacker credentials against Trilium are needed; the malicious archive carries the full payload. Victim interaction (required): UI:A requires the victim to actively import the crafted ZIP archive with safe import enabled in their Trilium client. Attack complexity (info): AC:L with AT:N indicates the exploit is reliable once the archive is imported, with no race conditions or environmental prerequisites beyond a vulnerable desktop client.

What is the impact of CVE-2026-45668?

Executes arbitrary code in the Electron renderer with nodeIntegration enabled, giving the attacker full Node.js API access on the victim's machine. Reads, modifies, or exfiltrates any file or note content accessible to the user running the Trilium desktop client. Pivots to other systems reachable from the victim host, since code runs with the user's network and credential context. Tampers with the integrity of the local knowledge base and any synced Trilium server data the client is authenticated against.

Back to search

CRITICALCVE-2026-45668Published 2026-05-29Modified 2026-05-29CNA GitHub_M

CVE-2026-45668: Trilium Notes : Note Import to RCE via #docName Path Traversal (Safe Import Enabled)

Trilium Notes is a cross-platform, hierarchical note taking application focused on building large personal knowledge bases. Prior to 0.102.2, a malicious ZIP archive imported with safe import enabled achieves RCE via #docName path traversal and XSS by combining a payload note (type: code, mime: text/plain) containing raw HTML/JS and a trigger note (type: doc or type: launcher) with a #docName label that uses ../ path traversal to point at the payload note's API endpoint. The desktop client Electron renderer runs with nodeIntegration enabled, so an RCE is triggered once the payload is executed. This vulnerability is fixed in 0.102.2.

HarborGuard Analysis

HarborGuard analysis

Synopsis

A path traversal flaw in Trilium Notes (TriliumNext) lets a malicious ZIP archive achieve remote code execution when imported with safe import enabled. The attack requires the victim to import a crafted note bundle: a payload note containing raw HTML/JS combined with a trigger note whose #docName label uses ../ traversal to load the payload through an API endpoint. Because the desktop Electron renderer runs with nodeIntegration enabled, the injected JavaScript executes with full Node.js privileges on the host. A patched-image rebuild at version 0.102.2 is available on HarborGuard for affected environments.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against Trilium Notes versions in customer registries and CI pipelines, including custom-built images that bundle Trilium below 0.102.2.

Available

Triage

Triage scoring is available using the published CVSS v4.0 score of 9.3 (Critical), weighted by each customer organization's compliance policy (for example, internal-use knowledge tooling versus internet-facing deployments) and routed to the appropriate inbox inside the customer org.

Available

Patch

Patched-image rebuilds at version 0.102.2 are available on HarborGuard for environments running an affected version. For customers who opt into auto-remediation, the rebuild is generated, regression-tested, and proposed via a PR opened against affected workloads.

Pending upstream

Exploit Conditions

Network reachabilityNot required
The CVSS vector lists AV:L, meaning the attacker delivers the malicious ZIP locally (typically a file the victim imports into their Trilium client) rather than reaching the application over the network.
AuthenticationNot required
PR:N indicates no attacker credentials against Trilium are needed; the malicious archive carries the full payload.
Victim interactionRequired
UI:A requires the victim to actively import the crafted ZIP archive with safe import enabled in their Trilium client.
Attack complexityDetail
AC:L with AT:N indicates the exploit is reliable once the archive is imported, with no race conditions or environmental prerequisites beyond a vulnerable desktop client.

Blast Radius

Executes arbitrary code in the Electron renderer with nodeIntegration enabled, giving the attacker full Node.js API access on the victim's machine.
Reads, modifies, or exfiltrates any file or note content accessible to the user running the Trilium desktop client.
Pivots to other systems reachable from the victim host, since code runs with the user's network and credential context.
Tampers with the integrity of the local knowledge base and any synced Trilium server data the client is authenticated against.

How HarborGuard Handles This

Available on HarborGuard: images containing Trilium Notes below 0.102.2 are flagged on the next scan, and a rebuild at 0.102.2 is staged for affected workloads. For customers who opt into auto-remediation, the rebuild is regression-tested and a patch PR is opened against affected workloads automatically; median time from CVE publication to merged patch PR for critical-severity issues is around 90 minutes in environments with auto-remediation enabled. Until the upgrade lands, restrict ZIP imports to trusted sources, disable safe import on shared or multi-user installs, and treat any user-supplied Trilium archive as untrusted code.

See how HarborGuard automates this

CVSS v4.0: 9.3
Severity: CRITICAL
Fixed in: —
Affected Products: 1

Affected packages

TriliumNext / Trilium
< 0.102.2

CVSS Vector

CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

References

https://github.com/TriliumNext/Trilium/security/advisories/GHSA-9jjc-cccq-f6rh