VYPR
Critical severityNVD Advisory· Published May 29, 2026· Updated Jun 1, 2026

CVE-2026-45668

CVE-2026-45668

Description

Trilium Notes is a cross-platform, hierarchical note taking application focused on building large personal knowledge bases. Prior to 0.102.2, a malicious ZIP archive imported with safe import enabled achieves RCE via #docName path traversal and XSS by combining a payload note (type: code, mime: text/plain) containing raw HTML/JS and a trigger note (type: doc or type: launcher) with a #docName label that uses ../ path traversal to point at the payload note's API endpoint. The desktop client Electron renderer runs with nodeIntegration enabled, so an RCE is triggered once the payload is executed. This vulnerability is fixed in 0.102.2.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

2
  • Triliumnext/Triliuminferred2 versions
    <0.102.2+ 1 more
    • (no CPE)range: <0.102.2
    • (no CPE)range: <0.102.2

Patches

Vulnerability mechanics

References

1

News mentions

0

No linked articles in our index yet.