What is the CVSS score of CVE-2026-23481?

CVE-2026-23481 has a CVSS 3.1 base score of 6.5 (Medium). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N. EPSS exploitation probability: 0.0%.

Which versions of Blinko are affected by CVE-2026-23481?

Organizations using saveAdditionalDevFile. This issue has been patched in should be aware of notable risk from CVE-2026-23481, a path traversal vulnerability rated CVSS 6.5.. A patch is available.

How to fix or mitigate CVE-2026-23481?

Within 30 days: Identify affected systems running saveAdditionalDevFile. This issue has been patched in and apply vendor patches as part of regular patch cycle. Review file handling controls.

Blinko CVE-2026-23481

EUVD-2026-14531 MEDIUM

Path Traversal (CWE-22)

2026-03-23 GitHub_M

Path Traversal Blinko

6.5

CVSS 3.1 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY

6.5 MEDIUM

AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

High

Availability

None

Lifecycle Timeline

Patch available

Apr 16, 2026 - 05:29 EUVD

1.8.4

EUVD ID Assigned

Mar 23, 2026 - 20:45 euvd

EUVD-2026-14531

Analysis Generated

Mar 23, 2026 - 20:45 vuln.today

CVE Published

Mar 23, 2026 - 20:33 nvd

MEDIUM 6.5

DescriptionGitHub Advisory

Blinko is an AI-powered card note-taking project. Prior to version 1.8.4, there is an authenticated arbitrary file write vulnerability in saveAdditionalDevFile. This issue has been patched in version 1.8.4.

AnalysisAI

Blinko, an AI-powered card note-taking application, contains an authenticated arbitrary file write vulnerability in the saveAdditionalDevFile function that allows attackers to write files to arbitrary locations on the system via path traversal. This vulnerability affects all versions prior to 1.8.4 and requires authentication to exploit. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Vulnerability AssessmentAI

Risk Assessment	While CVSS scoring data is not provided, the vulnerability's real-world risk is elevated due to several factors: it requires authentication (reducing attack surface scope), but impacts the core file system integrity of the application. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	An authenticated user with standard privileges in a multi-user Blinko instance submits a crafted file save request to saveAdditionalDevFile with a path traversal payload (e.g., ../../../etc/blinko/config.json or an absolute path to a system-critical file). The function fails to validate the path and writes attacker-controlled content to the specified location, potentially overwriting application configuration files to inject malicious settings, disable authentication, or execute arbitrary code on the next application restart. …
Remediation	Upgrade Blinko to version 1.8.4 or later immediately. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 30 days: Identify affected systems running saveAdditionalDevFile. …

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-23481 vulnerability details – vuln.today

Back

Blinko CVE-2026-23481

Severity by source

CVSS VectorGitHub Advisory

Lifecycle Timeline

DescriptionGitHub Advisory

AnalysisAI

Unlock full vulnerability intelligence

Vulnerability AssessmentAI

Recommended ActionAI

Share

External POC / Exploit Code