TriliumNext/Trilium

採点内訳

※ 各項目の重みは「採点ルール」を参照。合計は 0 で底打ち。

過去の SecurityAdvisory (14 件)

• LOWGHSA-97mx-2qjm-qhfx2026/5/11
  Stored XSS via unescaped shareExternalLink label in share index page
• LOWGHSA-64fm-4j23-99j22026/5/11
  SQL Injection via Unsanitized URL Parameter in `getDayNotesForMonth`
• CRITICALGHSA-9jjc-cccq-f6rhCVE-2026-456682026/5/11
  Note Import to RCE via #docName Path Traversal (Safe Import Enabled)
• MEDIUMGHSA-hf4x-22rg-pjjpCVE-2026-355932026/5/11
  Local File Inclusion in upload modified file API endpoint
• MEDIUMGHSA-66pm-8hvq-2wwxCVE-2026-393092026/5/11
  TCC Bypass via Prompt Spoofing
• CRITICALGHSA-9hh2-9g65-cxf62026/5/11
  Note Import to RCE via AI/LLM Chat Stored XSS (Safe Import Enabled)
• HIGHGHSA-jcvx-vc83-cppwCVE-2026-393102026/5/11
  Authentication Bypass in Clipper API for Electron (Desktop) Builds
• MEDIUMGHSA-p837-cxw3-m964CVE-2026-393112026/5/11
  Stored XSS Leads to Unauthorized Remote Code Execution (RCE) via Unsanitized SVG Attachments
• CRITICALGHSA-xf5h-ph87-q9492026/5/11
  Remote code execution via malicious note
• MEDIUMGHSA-mv34-rvfg-f6mg2026/5/11
  Stored XSS via unsanitized SVG in share system
• CRITICALGHSA-rrr2-mp2p-9fcp2026/5/11
  Stored XSS in calendar recurrence error toast via #recurrence label value leads to RCE in synchronized Electron desktop clients
• MEDIUMGHSA-g4cp-6vcf-grj52026/5/11
  OAuth State Uses Weak Random Number Generator
• HIGHGHSA-hxf6-58cx-qq3xCVE-2025-686212026/2/6
  Timing Attack Vulnerability in /api/login/sync (CWE-208)
• HIGHGHSA-hw5p-ff75-327rCVE-2025-535442025/8/3
  Brute-force Protection Bypass via Initial Sync Seed Retrieval