Skip to main content

Blinko CVE-2026-23482

| EUVD-2026-14533 HIGH
Path Traversal (CWE-22)
2026-03-23 GitHub_M
Path Traversal Blinko
7.5
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

6
Analysis Updated
Apr 16, 2026 - 06:18 EUVD-patch-fix
executive_summary
Re-analysis Queued
Apr 16, 2026 - 05:29 backfill_euvd_patch
patch_released
Patch available
Apr 16, 2026 - 05:29 EUVD
1.8.4
EUVD ID Assigned
Mar 23, 2026 - 20:45 euvd
EUVD-2026-14533
Analysis Generated
Mar 23, 2026 - 20:45 vuln.today
CVE Published
Mar 23, 2026 - 20:25 nvd
HIGH 7.5

DescriptionGitHub Advisory

Blinko is an AI-powered card note-taking project. Prior to version 1.8.4, the file server endpoint does not perform permission checks on the temp/ path and does not filter path traversal sequences, allowing unauthorized attackers to read arbitrary files on the server. When scheduled backup tasks are enabled, attackers can read backup files to obtain all user notes and user TOKENS. This issue has been patched in version 1.8.4.

AnalysisAI

Blinko, an AI-powered card note-taking application, contains a path traversal vulnerability in its file server endpoint that fails to validate permissions on the temp/ directory and does not filter path traversal sequences (CWE-22). Attackers can exploit this to read arbitrary files on the server, and when scheduled backup tasks are enabled, can access backup files containing all user notes and authentication tokens. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Access file server endpoint
Exploit
Craft path traversal payload targeting temp/ directory
Execution
Retrieve backup files containing user notes and tokens
Impact
Exfiltrate sensitive data
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Blinko versions prior to 1.8.4. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment This vulnerability presents critical real-world risk due to multiple compounding factors. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker without authentication sends an HTTP request to the Blinko file server endpoint using a path traversal payload such as /temp/../../../../etc/passwd or /temp/../../../../backup.tar.gz (if backups are stored in predictable locations). Due to the lack of path validation, the server returns the contents of the arbitrary file. …
Remediation Immediately upgrade Blinko to version 1.8.4 or later, as confirmed by the official release at https://github.com/blinkospace/blinko/releases/tag/1.8.4. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

Within 24 hours: Identify all Blinko deployments and document current versions; disable scheduled backup tasks if feasible. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-23482 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy