What is the CVSS score of CVE-2026-23484?

CVE-2026-23484 has a CVSS 3.1 base score of 6.5 (Medium). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N. EPSS exploitation probability: 0.0%.

Which versions of Blinko are affected by CVE-2026-23484?

Organizations using Blinko should be aware of notable risk from CVE-2026-23484, a path traversal vulnerability rated CVSS 6.5. This could allow unauthorized file access.

Blinko CVE-2026-23484

EUVD-2026-14538 MEDIUM

Path Traversal (CWE-22)

2026-03-23 GitHub_M

Path Traversal Blinko

6.5

CVSS 3.1 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY

6.5 MEDIUM

AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

High

Availability

None

Lifecycle Timeline

EUVD ID Assigned

Mar 23, 2026 - 20:45 euvd

EUVD-2026-14538

Analysis Generated

Mar 23, 2026 - 20:45 vuln.today

CVE Published

Mar 23, 2026 - 20:31 nvd

MEDIUM 6.5

DescriptionGitHub Advisory

Blinko is an AI-powered card note-taking project. In versions from 1.8.3 and prior, the fileName parameter is not filtered, allowing path traversal to write files anywhere on the file system. Moreover, this interface only requires authProcedure (normal user), not superAdminAuthMiddleware. At time of publication, there are no publicly available patches.

AnalysisAI

Blinko versions 1.8.3 and earlier allow authenticated users to write arbitrary files to the filesystem through an unvalidated fileName parameter, exploiting a path traversal weakness. The vulnerability requires only basic user authentication and can be leveraged to place malicious files anywhere on the server, potentially leading to remote code execution or system compromise. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Vulnerability AssessmentAI

Risk Assessment	This vulnerability presents a critical real-world risk despite the absence of CVSS and EPSS scores in the provided data. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	An authenticated user (possibly with low privileges or credentials obtained through social engineering or credential reuse) crafts an HTTP request to Blinko's file write endpoint with a malicious fileName parameter such as '../../../../tmp/malicious.sh' or '../../blinko/startup.js'. Due to the lack of input validation, the application writes the attacker's supplied file content to the traversed path, potentially overwriting application code or system files. …
Remediation	At the time of this analysis, no official patch is available from the Blinko project. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 30 days: Identify affected systems running versions from 1.8.3 and and apply vendor patches as part of regular patch cycle. …

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-23484 vulnerability details – vuln.today

Back

Blinko CVE-2026-23484

Severity by source

CVSS VectorGitHub Advisory

Lifecycle Timeline

DescriptionGitHub Advisory

AnalysisAI

Unlock full vulnerability intelligence

Vulnerability AssessmentAI

Recommended ActionAI

Share

External POC / Exploit Code