216.73.216.86

CVE-2026-39310

· Published 20/05/2026 20:16 · Modified 21/05/2026 15:24

Labels: CVE-2026-39310 2026-05-20CVE-2026-39310CWE-284[email protected]

Essential information

Published
20/05/2026 20:16
Modified
21/05/2026 15:24
Author
Creator
CVSS
8.6 HIGH (v3.1)
CISA KEV
No
CWE
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L

CVSS metrics

Description

Trilium Notes is a cross-platform, hierarchical note taking application focused on building large personal knowledge bases. In versions 0.102.1 and prior, the Clipper API in Trilium Desktop (v0.101.3) allows full authentication bypass when running in an Electron environment. When Trilium detects an Electron environment, it explicitly disables authentication middleware for the Clipper API, exposing endpoints such as /api/clipper/notes to the network with no password, API token, or CSRF protection. An attacker on a shared network (for example, a corporate LAN or public Wi-Fi) can scan for open high-range ports using a tool like nmap, since Trilium often binds to ports such as 37840. Once a candidate port is found, an unauthenticated request to the Clipper handshake endpoint, which also bypasses authentication, confirms a Trilium instance by returning the application name and protocol version. This facilitates unauthorized data access, phishing, and local system compromise. The issue has been fixed in version 0.102.2.

NVD status

Status
Deferred — CVE has been recently published to the CVE List and has been received by the NVD.
Source
[email protected]
NVD
View on NVD

Affected products (CPE)

ProductCPE
trilium / trilium notes cpe:2.3:a:trilium:trilium_notes:<0.102.2:*:*:*:*:*:*:*
trilium / trilium desktop cpe:2.3:a:trilium:trilium_desktop:0.101.3:*:*:*:*:*:*:*

References