EUVD-2026-14533
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
3Tags
Description
Blinko is an AI-powered card note-taking project. Prior to version 1.8.4, the file server endpoint does not perform permission checks on the temp/ path and does not filter path traversal sequences, allowing unauthorized attackers to read arbitrary files on the server. When scheduled backup tasks are enabled, attackers can read backup files to obtain all user notes and user TOKENS. This issue has been patched in version 1.8.4.
Analysis
Blinko, an AI-powered card note-taking application, contains a path traversal vulnerability in its file server endpoint that fails to validate permissions on the temp/ directory and does not filter path traversal sequences (CWE-22). Attackers can exploit this to read arbitrary files on the server, and when scheduled backup tasks are enabled, can access backup files containing all user notes and authentication tokens. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 7 days: Identify all affected systems and apply vendor patches promptly. Review file handling controls and restrict upload directories.
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today