EUVD-2026-14535
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Lifecycle Timeline
3Tags
Description
Blinko is an AI-powered card note-taking project. In versions from 1.8.3 and prior, the plugin file server endpoint uses join() to concatenate paths but does not verify if the final path is within the plugins directory, leading to path traversal. At time of publication, there are no publicly available patches.
Analysis
Blinko versions 1.8.3 and earlier contain a path traversal vulnerability in the plugin file server endpoint that fails to validate whether requested file paths remain within the plugins directory, enabling unauthenticated remote attackers to read arbitrary files. The vulnerability has a CVSS score of 5.3 and currently lacks a publicly available patch.
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 30 days: Identify affected systems running versions from 1.8.3 and and apply vendor patches as part of regular patch cycle. Review file handling controls.
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today