Skip to main content

Blinko CVE-2026-23882

| EUVD-2026-14545 HIGH
OS Command Injection (CWE-78)
2026-03-23 GitHub_M
Command Injection Blinko
7.2
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
7.2 HIGH
AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

6
Analysis Updated
Apr 16, 2026 - 06:18 EUVD-patch-fix
executive_summary
Re-analysis Queued
Apr 16, 2026 - 05:29 backfill_euvd_patch
patch_released
Patch available
Apr 16, 2026 - 05:29 EUVD
1.8.4
EUVD ID Assigned
Mar 23, 2026 - 21:00 euvd
EUVD-2026-14545
Analysis Generated
Mar 23, 2026 - 21:00 vuln.today
CVE Published
Mar 23, 2026 - 20:52 nvd
HIGH 7.2

DescriptionGitHub Advisory

Blinko is an AI-powered card note-taking project. Prior to version 1.8.4, the MCP (Model Context Protocol) server creation function allows specifying arbitrary commands and arguments, which are executed when testing the connection. This issue has been patched in version 1.8.4.

AnalysisAI

Blinko versions prior to 1.8.4 allow authenticated high-privilege users to execute arbitrary commands through the MCP server creation function during connection testing, resulting in complete system compromise. An attacker with administrative credentials can inject malicious commands that execute with application privileges, achieving remote code execution. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Authenticate as high-privileged user
Exploit
Access MCP server creation function
Execution
Specify malicious command in arguments
Impact
Execute arbitrary system command via connection test
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Requires authenticated access as high-privilege user in Blinko versions before 1.8.4. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Despite the high CVSS 4.0 score of 8.6, real-world risk is tempered by the requirement for high privileges (PR:H). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who has compromised administrator credentials or a malicious insider with administrative access logs into the Blinko application and navigates to the MCP server creation interface. The attacker specifies a malicious command such as a reverse shell payload in the server configuration parameters, then triggers the connection test function. …
Remediation Upgrade Blinko to version 1.8.4 or later, which contains a patch for this command injection vulnerability as documented in the release notes at https://github.com/blinkospace/blinko/releases/tag/1.8.4 and commit bef6b770743e87c630db2d00d7049dabd96bfe85. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

Within 24 hours: Identify all Blinko installations and document current version numbers; audit administrative user accounts and access logs for suspicious activity. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-23882 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy