Stored XSS in notes Title in zadam/trilium


Reported on

Dec 25th 2022


Stored XSS Vulnerability was found while a user creates a new Note & Enter the Name for the Note. The Title of the Note gets directly rendered at "Note Map" Functionality which is leading to HTML injection and Cross site scripting stored & reflected every time the user opens the note map.

Proof of Concept

1. download the latest version on any distro, for PoC purpose I have downloaded version 0.57.5 for windows [link](

2. Now, run the trilium.exe binary application.

3. Now create a new note

4. name the new note as "><img src="x" onerror=alert(1337) />

5. Now visit the "Note Map" functionality & click on the red dot or just wait for the alert to be prompted and XSS to be reflected as it's stored at the point.

6. Now the Alert box will pop up everytime as it's stored.


This can lead to lateral privilege escalation & allow an attacker to get acces to applications javascript and manipulate the Javascript of the server which will lead to loss of users trust and authenticity.

Video Proof of Concept & Screenshots for References:

We are processing your report and will contact the zadam/trilium team within 24 hours. 9 months ago
We have contacted a member of the zadam/trilium team and are waiting to hear back 9 months ago
zadam modified the Severity from High (7.3) to Medium (4.6) 9 months ago
The researcher has received a minor penalty to their credibility for miscalculating the severity: -1
zadam validated this vulnerability 9 months ago
Chirag Agrawal has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Chirag Agrawal
9 months ago


Thank you so much Zadam for fixing this vulnerability!

Happy to secure :)

Chirag Agrawal
9 months ago


Hey @zadam,

could you please request for a CVE for this!

Chirag Agrawal
8 months ago


@admin can you please update me on this report!

Ben Harvie
8 months ago


The maintainer is in control of CVE assignment, they have the option after fixing & publishing. Please refrain from tagging admins for this request, thanks.

zadam marked this as fixed in 0.59.4 with commit 4c3fcc 4 months ago
zadam has been awarded the fix bounty
This vulnerability has been assigned a CVE
zadam published this vulnerability 4 months ago
Chirag Agrawal
4 months ago


Thank you @zadam for assigning a CVE for this issue. I will make a blog & publish how this exploit worked soon for the community!

to join this conversation