What is the CVSS score of EUVD-2026-14535?

EUVD-2026-14535 has a CVSS 3.1 base score of 5.3 (Medium). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N. EPSS exploitation probability: 0.0%.

Which versions of Blinko are affected by EUVD-2026-14535?

Organizations using Blinko should be aware of moderate risk from CVE-2026-23483, a path traversal vulnerability rated CVSS 5.3. This could allow unauthorized file access.

Is there a public PoC exploit available for EUVD-2026-14535?

Yes, a public proof-of-concept exploit is available for EUVD-2026-14535. Prioritise patching immediately. EPSS: 0.0%.

Blinko EUVD-2026-14535

| CVE-2026-23483 MEDIUM

Path Traversal (CWE-22)

2026-03-23 GitHub_M

Path Traversal Blinko

5.3

CVSS 3.1 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY

5.3 MEDIUM

AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

None

Availability

None

Lifecycle Timeline

EUVD ID Assigned

Mar 23, 2026 - 20:45 euvd

EUVD-2026-14535

Analysis Generated

Mar 23, 2026 - 20:45 vuln.today

CVE Published

Mar 23, 2026 - 20:28 nvd

MEDIUM 5.3

DescriptionGitHub Advisory

Blinko is an AI-powered card note-taking project. In versions from 1.8.3 and prior, the plugin file server endpoint uses join() to concatenate paths but does not verify if the final path is within the plugins directory, leading to path traversal. At time of publication, there are no publicly available patches.

AnalysisAI

Blinko versions 1.8.3 and earlier contain a path traversal vulnerability in the plugin file server endpoint that fails to validate whether requested file paths remain within the plugins directory, enabling unauthenticated remote attackers to read arbitrary files. The vulnerability has a CVSS score of 5.3 and currently lacks a publicly available patch.

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Vulnerability AssessmentAI

Risk Assessment	While a formal CVSS score and EPSS probability are not provided, this vulnerability carries significant real-world risk. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	An attacker on the network sends an HTTP GET request to the Blinko plugin endpoint with a crafted path such as '/plugins/../../../../../../etc/passwd' or uses URL-encoded traversal sequences to bypass simple string matching. The vulnerable endpoint joins this attacker-controlled path with the base plugins directory using join() without validation, resolving to an absolute path outside the plugins directory. …
Remediation	At the time of publication, no official patch is available from the vendor. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 30 days: Identify affected systems running versions from 1.8.3 and and apply vendor patches as part of regular patch cycle. …

Threat intelligence, references, and detailed analysis are available after sign-in.

EUVD-2026-14535 vulnerability details – vuln.today

Back

Blinko EUVD-2026-14535

Severity by source

CVSS VectorGitHub Advisory

Lifecycle Timeline

DescriptionGitHub Advisory

AnalysisAI

Unlock full vulnerability intelligence

Vulnerability AssessmentAI

Recommended ActionAI

Share

External POC / Exploit Code