CVE-2026-35593

Name of the Vulnerable Software and Affected Versions Trilium Notes versions prior to 0.102.2

Description An authenticated attacker can perform Local File Inclusion, which is a flaw allowing the reading of arbitrary files on the server's filesystem. The issue occurs within the uploadModifiedFileToAttachment() function, triggered by a POST request to the '/api/attachments/{attachmentId}/upload-modified-file' endpoint. By providing a path in the filePath variable of the request body, the content of an attachment is replaced with the content of the specified file. The attacker can then retrieve this content via the '/api/attachments/{attachmentId}/download' endpoint. This can expose sensitive data such as SSH keys, credentials, configurations, and operating system files, potentially leading to remote code execution and the compromise of co-hosted applications.

Recommendations Update to version 0.102.2. As a temporary workaround, restrict access to the '/api/attachments/{attachmentId}/upload-modified-file' endpoint.