CVE-2026-39309 affects Trilium Notes versions 0.102.1 and earlier. According to the supplied NVD record and GitHub references, the issue is a macOS TCC bypass through prompt spoofing in the Electron configuration: a local attacker can abuse the app’s RunAsNode fuse to launch a Node.js subprocess and trigger misleading permission prompts that appear to come from Trilium Notes. The result is a UI and trust [truncated]
CVE-2026-35593 is an authenticated local file inclusion issue in Trilium Notes 0.102.1 and earlier. The vulnerable attachment upload path can be pointed at another file on the server, causing the attachment content to be replaced with the contents of that file and later retrieved through the attachment download endpoint. Per the advisory and NVD record, this can expose sensitive local files such as SSH ke [truncated]
