What is the CVSS score of CVE-2026-23488?

CVE-2026-23488 has a CVSS 3.1 base score of 5.3 (Medium). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N. EPSS exploitation probability: 0.0%.

Which versions of Blinko are affected by CVE-2026-23488?

Organizations using Blinko should be aware of moderate risk from CVE-2026-23488, a IDOR vulnerability rated CVSS 5.3. Exploitation could compromise the security of affected deployments.. A patch is available.

Blinko CVE-2026-23488

EUVD-2026-14544 MEDIUM

Authorization Bypass Through User-Controlled Key (CWE-639)

2026-03-23 GitHub_M

Authentication Bypass Blinko

5.3

CVSS 3.1 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY

5.3 MEDIUM

AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

None

Availability

None

Lifecycle Timeline

Patch available

Apr 16, 2026 - 05:29 EUVD

1.8.4

EUVD ID Assigned

Mar 23, 2026 - 21:00 euvd

EUVD-2026-14544

Analysis Generated

Mar 23, 2026 - 21:00 vuln.today

CVE Published

Mar 23, 2026 - 20:48 nvd

MEDIUM 5.3

DescriptionGitHub Advisory

Blinko is an AI-powered card note-taking project. Prior to version 1.8.4, the /api/v1/comment/create endpoint has an unauthorized access vulnerability, allowing attackers to post comments on any note (including private notes) without authorization, even if the note has not been publicly shared. The /api/v1/comment/list endpoint has the same issue, allowing unauthorized viewing of comments on all notes. This issue has been patched in version 1.8.4.

AnalysisAI

Blinko, an AI-powered card note-taking application, contains an authentication bypass vulnerability in its comment management endpoints that allows unauthenticated attackers to create and view comments on any note, including private notes that have not been publicly shared. Versions prior to 1.8.4 are vulnerable, and a patch has been released and is available via the official GitHub repository. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Vulnerability AssessmentAI

Risk Assessment	This vulnerability presents a moderate to high real-world risk despite the medium-high CVSS score of 6.9. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	An attacker could enumerate note IDs within a target Blinko instance and, without authentication, send POST requests to /api/v1/comment/create with arbitrary comment content, successfully posting comments to private notes. The attacker could simultaneously query /api/v1/comment/list to view all existing comments across the entire note repository, exposing sensitive information such as private research notes, confidential project discussions, or personal information contained within comments. …
Remediation	Upgrade Blinko immediately to version 1.8.4 or later, which contains the authorization bypass fixes. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 30 days: Identify affected systems and apply vendor patches as part of regular patch cycle. …

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-23488 vulnerability details – vuln.today

Back

Blinko CVE-2026-23488

Severity by source

CVSS VectorGitHub Advisory

Lifecycle Timeline

DescriptionGitHub Advisory

AnalysisAI

Unlock full vulnerability intelligence

Vulnerability AssessmentAI

Recommended ActionAI

Share

External POC / Exploit Code