{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-04-18T11:36:03.042","vulnerabilities":[{"cve":{"id":"CVE-2025-68621","sourceIdentifier":"security-advisories@github.com","published":"2026-02-06T22:16:10.660","lastModified":"2026-02-24T15:14:37.663","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"Trilium Notes is an open-source, cross-platform hierarchical note taking application with focus on building large personal knowledge bases.  Prior to 0.101.0, a critical timing attack vulnerability in Trilium's sync authentication endpoint allows unauthenticated remote attackers to recover HMAC authentication hashes byte-by-byte through statistical timing analysis. This enables complete authentication bypass without password knowledge, granting full read/write access to victim's knowledge base. This vulnerability is fixed in 0.101.0."},{"lang":"es","value":"Trilium Notes es una aplicación jerárquica para tomar notas de código abierto y multiplataforma, con enfoque en la construcción de grandes bases de conocimiento personales. Antes de 0.101.0, una crítica vulnerabilidad de ataque de temporización en el punto final de autenticación de sincronización de Trilium permite a atacantes remotos no autenticados recuperar hashes de autenticación HMAC byte a byte mediante análisis estadístico de temporización. Esto permite una omisión completa de autenticación sin conocimiento de la contraseña, otorgando acceso completo de lectura/escritura a la base de conocimiento de la víctima. Esta vulnerabilidad está corregida en 0.101.0."}],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N","baseScore":7.4,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"HIGH","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"NONE"},"exploitabilityScore":2.2,"impactScore":5.2}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Primary","description":[{"lang":"en","value":"CWE-208"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:triliumnotes:trilium:*:*:*:*:*:*:*:*","versionEndExcluding":"0.101.0","matchCriteriaId":"B7F7FB8D-735B-494D-A4C9-C709F66BF7C4"}]}]}],"references":[{"url":"https://github.com/TriliumNext/Trilium/pull/8129","source":"security-advisories@github.com","tags":["Issue Tracking","Patch"]},{"url":"https://github.com/TriliumNext/Trilium/security/advisories/GHSA-hxf6-58cx-qq3x","source":"security-advisories@github.com","tags":["Exploit","Mitigation","Patch","Vendor Advisory"]}]}}]}