Blinko
Monthly
Blinko versions prior to 1.8.4 allow authenticated high-privilege users to execute arbitrary commands through the MCP server creation function during connection testing, resulting in complete system compromise. An attacker with administrative credentials can inject malicious commands that execute with application privileges, achieving remote code execution. No patch is currently available for affected deployments.
Blinko, an AI-powered card note-taking application, contains a path traversal vulnerability in the filePath parameter that allows unauthenticated remote attackers to enumerate file existence on the server through differential error responses. Versions prior to 1.8.4 are affected, and an attacker can leverage this vulnerability to discover sensitive files and directories without authentication or user interaction. The vulnerability has been patched in version 1.8.4, and exploit code or proof-of-concept demonstrations are available via the GitHub security advisory.
Blinko, an AI-powered card note-taking application, contains an authentication bypass vulnerability in its comment management endpoints that allows unauthenticated attackers to create and view comments on any note, including private notes that have not been publicly shared. Versions prior to 1.8.4 are vulnerable, and a patch has been released and is available via the official GitHub repository. The vulnerability has a CVSS 4.0 score of 6.9 with a network attack vector requiring no privileges or user interaction, making it trivial to exploit.
An Insecure Direct Object Reference (IDOR) vulnerability in Blinko versions prior to 1.8.4 allows authenticated attackers to leak the superadmin token through the user.detail endpoint by manipulating user identifiers. This authentication bypass vulnerability has a CVSS score of 6.0 and affects the Blinko AI-powered note-taking application. A patch is available in version 1.8.4, and proof-of-concept information is available via the official GitHub security advisory.
A publicly accessible endpoint in Blinko prior to version 1.8.4 discloses sensitive user information including usernames, roles, and account creation dates without requiring authentication, allowing unauthenticated attackers to enumerate all user accounts. This information disclosure vulnerability (CWE-200) affects Blinko versions below 1.8.4 and has been patched in the latest release. The vulnerability is remotely exploitable over the network with minimal attack complexity and no privilege requirements, making it a significant privacy and enumeration risk for deployed instances.
Blinko versions prior to 1.8.4 contain a critical privilege escalation vulnerability in the upsertUser endpoint that allows any authenticated user to modify other users' passwords and escalate to superadmin privileges. The vulnerability stems from three distinct authorization and input validation flaws: missing superAdminAuthMiddleware enforcement, optional password verification, and absent ownership checks. An attacker with valid credentials can directly execute account takeover and administrative privilege escalation with no additional exploits required.
Blinko, an AI-powered card note-taking application, contains an authenticated arbitrary file write vulnerability in the saveAdditionalDevFile function that allows attackers to write files to arbitrary locations on the system via path traversal. This vulnerability affects all versions prior to 1.8.4 and requires authentication to exploit. An attacker with valid credentials can abuse this flaw to overwrite critical application files, inject malicious code, or achieve remote code execution depending on file permissions and system configuration.
Blinko versions 1.8.3 and earlier allow authenticated users to write arbitrary files to the filesystem through an unvalidated fileName parameter, exploiting a path traversal weakness. The vulnerability requires only basic user authentication and can be leveraged to place malicious files anywhere on the server, potentially leading to remote code execution or system compromise. No patch is currently available.
Blinko versions 1.8.3 and earlier contain a path traversal vulnerability in the plugin file server endpoint that fails to validate whether requested file paths remain within the plugins directory, enabling unauthenticated remote attackers to read arbitrary files. The vulnerability has a CVSS score of 5.3 and currently lacks a publicly available patch.
Blinko, an AI-powered card note-taking application, contains a path traversal vulnerability in its file server endpoint that fails to validate permissions on the temp/ directory and does not filter path traversal sequences (CWE-22). Attackers can exploit this to read arbitrary files on the server, and when scheduled backup tasks are enabled, can access backup files containing all user notes and authentication tokens. The vulnerability affects all versions prior to 1.8.4 and has been patched in the released version 1.8.4.
Blinko versions prior to 1.8.4 allow authenticated high-privilege users to execute arbitrary commands through the MCP server creation function during connection testing, resulting in complete system compromise. An attacker with administrative credentials can inject malicious commands that execute with application privileges, achieving remote code execution. No patch is currently available for affected deployments.
Blinko, an AI-powered card note-taking application, contains a path traversal vulnerability in the filePath parameter that allows unauthenticated remote attackers to enumerate file existence on the server through differential error responses. Versions prior to 1.8.4 are affected, and an attacker can leverage this vulnerability to discover sensitive files and directories without authentication or user interaction. The vulnerability has been patched in version 1.8.4, and exploit code or proof-of-concept demonstrations are available via the GitHub security advisory.
Blinko, an AI-powered card note-taking application, contains an authentication bypass vulnerability in its comment management endpoints that allows unauthenticated attackers to create and view comments on any note, including private notes that have not been publicly shared. Versions prior to 1.8.4 are vulnerable, and a patch has been released and is available via the official GitHub repository. The vulnerability has a CVSS 4.0 score of 6.9 with a network attack vector requiring no privileges or user interaction, making it trivial to exploit.
An Insecure Direct Object Reference (IDOR) vulnerability in Blinko versions prior to 1.8.4 allows authenticated attackers to leak the superadmin token through the user.detail endpoint by manipulating user identifiers. This authentication bypass vulnerability has a CVSS score of 6.0 and affects the Blinko AI-powered note-taking application. A patch is available in version 1.8.4, and proof-of-concept information is available via the official GitHub security advisory.
A publicly accessible endpoint in Blinko prior to version 1.8.4 discloses sensitive user information including usernames, roles, and account creation dates without requiring authentication, allowing unauthenticated attackers to enumerate all user accounts. This information disclosure vulnerability (CWE-200) affects Blinko versions below 1.8.4 and has been patched in the latest release. The vulnerability is remotely exploitable over the network with minimal attack complexity and no privilege requirements, making it a significant privacy and enumeration risk for deployed instances.
Blinko versions prior to 1.8.4 contain a critical privilege escalation vulnerability in the upsertUser endpoint that allows any authenticated user to modify other users' passwords and escalate to superadmin privileges. The vulnerability stems from three distinct authorization and input validation flaws: missing superAdminAuthMiddleware enforcement, optional password verification, and absent ownership checks. An attacker with valid credentials can directly execute account takeover and administrative privilege escalation with no additional exploits required.
Blinko, an AI-powered card note-taking application, contains an authenticated arbitrary file write vulnerability in the saveAdditionalDevFile function that allows attackers to write files to arbitrary locations on the system via path traversal. This vulnerability affects all versions prior to 1.8.4 and requires authentication to exploit. An attacker with valid credentials can abuse this flaw to overwrite critical application files, inject malicious code, or achieve remote code execution depending on file permissions and system configuration.
Blinko versions 1.8.3 and earlier allow authenticated users to write arbitrary files to the filesystem through an unvalidated fileName parameter, exploiting a path traversal weakness. The vulnerability requires only basic user authentication and can be leveraged to place malicious files anywhere on the server, potentially leading to remote code execution or system compromise. No patch is currently available.
Blinko versions 1.8.3 and earlier contain a path traversal vulnerability in the plugin file server endpoint that fails to validate whether requested file paths remain within the plugins directory, enabling unauthenticated remote attackers to read arbitrary files. The vulnerability has a CVSS score of 5.3 and currently lacks a publicly available patch.
Blinko, an AI-powered card note-taking application, contains a path traversal vulnerability in its file server endpoint that fails to validate permissions on the temp/ directory and does not filter path traversal sequences (CWE-22). Attackers can exploit this to read arbitrary files on the server, and when scheduled backup tasks are enabled, can access backup files containing all user notes and authentication tokens. The vulnerability affects all versions prior to 1.8.4 and has been patched in the released version 1.8.4.