CVE-2026-39311 affects Trilium Notes versions 0.102.1 and earlier. The supplied sources describe a critical attack chain where an attacker can abuse an unsanitized SVG attachment, run script in the application origin because Content Security Policy is disabled, read a CSRF token from the page, and then call the backend script execution API to execute arbitrary Node.js code on the server. The issue is fixe [truncated]
CVE-2026-39310 is a high-severity authentication-bypass issue in Trilium Notes Desktop versions 0.102.1 and earlier. In an Electron environment, Trilium disables authentication middleware for the Clipper API, which can leave endpoints such as /api/clipper/notes reachable without a password, API token, or CSRF protection. The supplied advisory indicates that an attacker on the same network can discover exp [truncated]
CVE-2026-39309 affects Trilium Notes versions 0.102.1 and earlier. According to the supplied NVD record and GitHub references, the issue is a macOS TCC bypass through prompt spoofing in the Electron configuration: a local attacker can abuse the app’s RunAsNode fuse to launch a Node.js subprocess and trigger misleading permission prompts that appear to come from Trilium Notes. The result is a UI and trust [truncated]
CVE-2026-35593 is an authenticated local file inclusion issue in Trilium Notes 0.102.1 and earlier. The vulnerable attachment upload path can be pointed at another file on the server, causing the attachment content to be replaced with the contents of that file and later retrieved through the attachment download endpoint. Per the advisory and NVD record, this can expose sensitive local files such as SSH ke [truncated]