CVE-2026-39310

Name of the Vulnerable Software and Affected Versions Trilium Notes versions prior to 0.102.2

Description Trilium Notes is a hierarchical note taking application. In an Electron environment, the Clipper API explicitly disables authentication middleware, allowing a full authentication bypass. This exposes endpoints such as '/api/clipper/notes' to the network without requiring a password, API token, or Cross-Site Request Forgery (CSRF) protection—a mechanism used to prevent unauthorized commands from being transmitted from a user the web application trusts. An attacker on a shared network can identify instances by scanning high-range ports and sending an unauthenticated request to the Clipper handshake endpoint, which returns the application name and protocol version. This can lead to unauthorized data access, phishing, and local system compromise.

Recommendations Update to version 0.102.2.