CVE-2026-39311 Overview
Trilium Notes is a cross-platform, hierarchical note-taking application used to build personal knowledge bases. Versions 0.102.1 and prior contain an unauthenticated Remote Code Execution (RCE) flaw triggered through a malicious SVG attachment. The application serves SVG files with the image/svg+xml MIME type without sanitization and explicitly disables Helmet's Content Security Policy (CSP) middleware. A crafted SVG executes under the Same-Origin Policy, extracts the csrfToken from the document body, and submits a signed request to /api/script/exec to run arbitrary Node.js code on the server. The issue is fixed in version 0.102.2.
Critical Impact
An attacker can fully compromise a Trilium server instance by tricking an authenticated user into viewing a shared SVG attachment, gaining arbitrary Node.js code execution.
Affected Products
- TriliumNext Trilium Notes versions 0.102.1 and earlier
- Trilium server deployments serving user-supplied SVG attachments
- Multi-user Trilium instances where attachments can be shared between accounts
Discovery Timeline
- 2026-05-20 - CVE-2026-39311 published to NVD
- 2026-05-20 - Last updated in NVD database
Technical Details for CVE-2026-39311
Vulnerability Analysis
The flaw is an insecure-by-design composition of three weaknesses that, combined, yield unauthenticated RCE. Trilium serves user-supplied SVG attachments with the image/svg+xml content type and performs no sanitization of embedded <script> elements or event handlers. The server also disables Helmet's CSP middleware, removing the primary browser-side defense against inline script execution in served assets. Finally, the backend exposes a /api/script/exec endpoint that accepts arbitrary Node.js code when called with a valid CSRF token. This combination is classified as Cross-site Scripting [CWE-79] but escalates to server-side code execution.
Root Cause
The root cause is the lack of SVG sanitization at the attachment-serving layer paired with the explicit disabling of Helmet's contentSecurityPolicy middleware. SVG files are XML documents that browsers parse and execute as active content when served with the image/svg+xml MIME type. Without CSP or sanitization, embedded JavaScript runs with the privileges of the Trilium origin.
Attack Vector
An attacker uploads a malicious SVG containing JavaScript and shares it with a target user. When the victim views the attachment, the script runs under Trilium's Same-Origin Policy context. The script issues fetch('/') to retrieve the page body and parses out the csrfToken. It then posts that token to /api/script/exec, which accepts and runs arbitrary Node.js code on the server. The result is full server compromise tied to the authenticated victim's session.
No verified public exploit code is available. See the GitHub Security Advisory GHSA-p837-cxw3-m964 for technical details.
Detection Methods for CVE-2026-39311
Indicators of Compromise
- SVG attachments in the Trilium attachment store containing <script> tags, onload, or onerror handlers
- HTTP POST requests to /api/script/exec originating from browser sessions that previously fetched an SVG attachment
- Unexpected child processes spawned by the Trilium Node.js process, such as shells, package managers, or network utilities
- Outbound network connections from the Trilium server to unfamiliar hosts following SVG attachment access
Detection Strategies
- Inspect stored attachments for SVG files containing executable content prior to user access
- Correlate image/svg+xml GET requests with subsequent /api/script/exec POSTs from the same client session
- Monitor the Trilium application logs for script-execution API calls outside of expected administrative workflows
- Apply file-content scanning rules that flag SVG attachments with embedded JavaScript on upload
Monitoring Recommendations
- Alert on any invocation of /api/script/exec, treating it as a high-privilege administrative action
- Track process lineage from the Trilium service to identify execution of sh, bash, node, or other interpreters spawned post-exploitation
- Capture and retain web server access logs that include attachment MIME types and referer chains for forensic review
How to Mitigate CVE-2026-39311
Immediate Actions Required
- Upgrade Trilium Notes to version 0.102.2 or later, which contains the official fix
- Restrict access to Trilium instances to trusted networks until the patch is applied
- Audit existing attachments for malicious SVG files and remove any with embedded scripts
- Rotate session secrets and CSRF tokens after upgrading if compromise is suspected
Patch Information
The maintainers released the fix in Trilium v0.102.2. The patch sanitizes SVG attachments and addresses the missing CSP protections. Administrators should review the GitHub Security Advisory GHSA-p837-cxw3-m964 for the complete remediation notes.
Workarounds
- Block uploads of files with the .svg extension or image/svg+xml MIME type at a reverse proxy until the upgrade is complete
- Enforce a strict Content Security Policy at the reverse proxy layer that disallows inline script execution for served attachments
- Serve attachments with Content-Disposition: attachment to force download rather than inline rendering
- Limit Trilium to single-user deployments where attachment sharing between accounts is not possible
# Example nginx workaround: block SVG attachment delivery until patched
location ~* \.svg$ {
return 403;
}
# Force download instead of inline render for attachments
location /api/attachments/ {
add_header Content-Disposition "attachment" always;
add_header Content-Security-Policy "default-src 'none'; sandbox" always;
proxy_pass http://trilium_backend;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
