Search criteria
ⓘ
Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.
10 vulnerabilities by blinko
CVE-2026-23882 (GCVE-0-2026-23882)
Vulnerability from cvelistv5 – Published: 2026-03-23 20:52 – Updated: 2026-03-24 15:59
VLAI?
Title
Blinko: Admin RCE - MCP Server Command Injection
Summary
Blinko is an AI-powered card note-taking project. Prior to version 1.8.4, the MCP (Model Context Protocol) server creation function allows specifying arbitrary commands and arguments, which are executed when testing the connection. This issue has been patched in version 1.8.4.
Severity ?
CWE
- CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| blinkospace | blinko |
Affected:
< 1.8.4
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-23882",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-24T15:58:18.222613Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-24T15:59:02.803Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "blinko",
"vendor": "blinkospace",
"versions": [
{
"status": "affected",
"version": "\u003c 1.8.4"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Blinko is an AI-powered card note-taking project. Prior to version 1.8.4, the MCP (Model Context Protocol) server creation function allows specifying arbitrary commands and arguments, which are executed when testing the connection. This issue has been patched in version 1.8.4."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.6,
"baseSeverity": "HIGH",
"privilegesRequired": "HIGH",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-78",
"description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-23T20:52:17.200Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/blinkospace/blinko/security/advisories/GHSA-59r2-82p8-c56v",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/blinkospace/blinko/security/advisories/GHSA-59r2-82p8-c56v"
},
{
"name": "https://github.com/blinkospace/blinko/commit/bef6b770743e87c630db2d00d7049dabd96bfe85",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/blinkospace/blinko/commit/bef6b770743e87c630db2d00d7049dabd96bfe85"
},
{
"name": "https://github.com/blinkospace/blinko/releases/tag/1.8.4",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/blinkospace/blinko/releases/tag/1.8.4"
}
],
"source": {
"advisory": "GHSA-59r2-82p8-c56v",
"discovery": "UNKNOWN"
},
"title": "Blinko: Admin RCE - MCP Server Command Injection"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-23882",
"datePublished": "2026-03-23T20:52:17.200Z",
"dateReserved": "2026-01-16T21:02:02.901Z",
"dateUpdated": "2026-03-24T15:59:02.803Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23485 (GCVE-0-2026-23485)
Vulnerability from cvelistv5 – Published: 2026-03-23 20:50 – Updated: 2026-03-24 15:13
VLAI?
Title
Blinko: Unauthorized Path Traversal File Enumeration - music-metadata
Summary
Blinko is an AI-powered card note-taking project. Prior to version 1.8.4, the filePath parameter accepts path traversal sequences, allowing enumeration of file existence on the server via different error responses. This issue has been patched in version 1.8.4.
Severity ?
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| blinkospace | blinko |
Affected:
< 1.8.4
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-23485",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-24T14:41:45.162698Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-24T15:13:17.335Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "blinko",
"vendor": "blinkospace",
"versions": [
{
"status": "affected",
"version": "\u003c 1.8.4"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Blinko is an AI-powered card note-taking project. Prior to version 1.8.4, the filePath parameter accepts path traversal sequences, allowing enumeration of file existence on the server via different error responses. This issue has been patched in version 1.8.4."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-23T20:50:02.880Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/blinkospace/blinko/security/advisories/GHSA-5x64-pmfq-pw7q",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/blinkospace/blinko/security/advisories/GHSA-5x64-pmfq-pw7q"
},
{
"name": "https://github.com/blinkospace/blinko/commit/9d6fa80a3e11a99886f90e048657443335fd3e7d",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/blinkospace/blinko/commit/9d6fa80a3e11a99886f90e048657443335fd3e7d"
},
{
"name": "https://github.com/blinkospace/blinko/releases/tag/1.8.4",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/blinkospace/blinko/releases/tag/1.8.4"
}
],
"source": {
"advisory": "GHSA-5x64-pmfq-pw7q",
"discovery": "UNKNOWN"
},
"title": "Blinko: Unauthorized Path Traversal File Enumeration - music-metadata"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-23485",
"datePublished": "2026-03-23T20:50:02.880Z",
"dateReserved": "2026-01-13T15:47:41.628Z",
"dateUpdated": "2026-03-24T15:13:17.335Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23488 (GCVE-0-2026-23488)
Vulnerability from cvelistv5 – Published: 2026-03-23 20:48 – Updated: 2026-03-24 13:48
VLAI?
Title
Blinko: multiple interfaces in the comment feature allow unauthorized access
Summary
Blinko is an AI-powered card note-taking project. Prior to version 1.8.4, the /api/v1/comment/create endpoint has an unauthorized access vulnerability, allowing attackers to post comments on any note (including private notes) without authorization, even if the note has not been publicly shared. The /api/v1/comment/list endpoint has the same issue, allowing unauthorized viewing of comments on all notes. This issue has been patched in version 1.8.4.
Severity ?
CWE
- CWE-639 - Authorization Bypass Through User-Controlled Key
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| blinkospace | blinko |
Affected:
< 1.8.4
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-23488",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-24T13:47:27.294337Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-24T13:48:42.544Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "blinko",
"vendor": "blinkospace",
"versions": [
{
"status": "affected",
"version": "\u003c 1.8.4"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Blinko is an AI-powered card note-taking project. Prior to version 1.8.4, the /api/v1/comment/create endpoint has an unauthorized access vulnerability, allowing attackers to post comments on any note (including private notes) without authorization, even if the note has not been publicly shared. The /api/v1/comment/list endpoint has the same issue, allowing unauthorized viewing of comments on all notes. This issue has been patched in version 1.8.4."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639: Authorization Bypass Through User-Controlled Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-23T20:48:55.325Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/blinkospace/blinko/security/advisories/GHSA-84hm-vw62-472m",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/blinkospace/blinko/security/advisories/GHSA-84hm-vw62-472m"
},
{
"name": "https://github.com/blinkospace/blinko/pull/1089",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/blinkospace/blinko/pull/1089"
},
{
"name": "https://github.com/blinkospace/blinko/commit/4623dd02bdeed768ffa6fea4cc2f8644cbb08c5e",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/blinkospace/blinko/commit/4623dd02bdeed768ffa6fea4cc2f8644cbb08c5e"
},
{
"name": "https://github.com/blinkospace/blinko/releases/tag/1.8.4",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/blinkospace/blinko/releases/tag/1.8.4"
}
],
"source": {
"advisory": "GHSA-84hm-vw62-472m",
"discovery": "UNKNOWN"
},
"title": "Blinko: multiple interfaces in the comment feature allow unauthorized access"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-23488",
"datePublished": "2026-03-23T20:48:55.325Z",
"dateReserved": "2026-01-13T15:47:41.628Z",
"dateUpdated": "2026-03-24T13:48:42.544Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23487 (GCVE-0-2026-23487)
Vulnerability from cvelistv5 – Published: 2026-03-23 20:45 – Updated: 2026-03-24 18:46
VLAI?
Title
Blinko: IDOR - user.detail Endpoint Leaks Superadmin Token
Summary
Blinko is an AI-powered card note-taking project. Prior to version 1.8.4, there is an IDOR vulnerability where user.detail Endpoint Leaks the Superadmin Token. This issue has been patched in version 1.8.4.
Severity ?
CWE
- CWE-639 - Authorization Bypass Through User-Controlled Key
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| blinkospace | blinko |
Affected:
< 1.8.4
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-23487",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-24T18:46:26.294268Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-24T18:46:32.047Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "blinko",
"vendor": "blinkospace",
"versions": [
{
"status": "affected",
"version": "\u003c 1.8.4"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Blinko is an AI-powered card note-taking project. Prior to version 1.8.4, there is an IDOR vulnerability where user.detail Endpoint Leaks the Superadmin Token. This issue has been patched in version 1.8.4."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "HIGH",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 6,
"baseSeverity": "MEDIUM",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639: Authorization Bypass Through User-Controlled Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-23T20:45:32.635Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/blinkospace/blinko/security/advisories/GHSA-4ffv-78qx-9p66",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/blinkospace/blinko/security/advisories/GHSA-4ffv-78qx-9p66"
},
{
"name": "https://github.com/blinkospace/blinko/commit/bef6b770743e87c630db2d00d7049dabd96bfe85",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/blinkospace/blinko/commit/bef6b770743e87c630db2d00d7049dabd96bfe85"
},
{
"name": "https://github.com/blinkospace/blinko/releases/tag/1.8.4",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/blinkospace/blinko/releases/tag/1.8.4"
}
],
"source": {
"advisory": "GHSA-4ffv-78qx-9p66",
"discovery": "UNKNOWN"
},
"title": "Blinko: IDOR - user.detail Endpoint Leaks Superadmin Token"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-23487",
"datePublished": "2026-03-23T20:45:32.635Z",
"dateReserved": "2026-01-13T15:47:41.628Z",
"dateUpdated": "2026-03-24T18:46:32.047Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23486 (GCVE-0-2026-23486)
Vulnerability from cvelistv5 – Published: 2026-03-23 20:42 – Updated: 2026-03-24 14:07
VLAI?
Title
Blinko: Unauthorized User Information Leak
Summary
Blinko is an AI-powered card note-taking project. Prior to version 1.8.4, a publicly accessible endpoint exposes all user information, including usernames, roles, and account creation dates. This issue has been patched in version 1.8.4.
Severity ?
CWE
- CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| blinkospace | blinko |
Affected:
< 1.8.4
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-23486",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-24T14:07:17.087724Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-24T14:07:26.774Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "blinko",
"vendor": "blinkospace",
"versions": [
{
"status": "affected",
"version": "\u003c 1.8.4"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Blinko is an AI-powered card note-taking project. Prior to version 1.8.4, a publicly accessible endpoint exposes all user information, including usernames, roles, and account creation dates. This issue has been patched in version 1.8.4."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-23T20:42:24.689Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/blinkospace/blinko/security/advisories/GHSA-446p-2xf5-frxf",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/blinkospace/blinko/security/advisories/GHSA-446p-2xf5-frxf"
},
{
"name": "https://github.com/blinkospace/blinko/commit/ec1e3e20384b620b8bf928fe80b4d8546757b419",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/blinkospace/blinko/commit/ec1e3e20384b620b8bf928fe80b4d8546757b419"
},
{
"name": "https://github.com/blinkospace/blinko/releases/tag/1.8.4",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/blinkospace/blinko/releases/tag/1.8.4"
}
],
"source": {
"advisory": "GHSA-446p-2xf5-frxf",
"discovery": "UNKNOWN"
},
"title": "Blinko: Unauthorized User Information Leak"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-23486",
"datePublished": "2026-03-23T20:42:24.689Z",
"dateReserved": "2026-01-13T15:47:41.628Z",
"dateUpdated": "2026-03-24T14:07:26.774Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23480 (GCVE-0-2026-23480)
Vulnerability from cvelistv5 – Published: 2026-03-23 20:39 – Updated: 2026-03-24 14:08
VLAI?
Title
Blinko: Low Privilege User Privilege Escalation - upsertUser Endpoint
Summary
Blinko is an AI-powered card note-taking project. Prior to version 1.8.4, there is a privilege escalation vulnerability. The upsertUser endpoint has 3 issues: it is missing superAdminAuthMiddleware, any logged-in user can call it; the originalPassword is an optional parameter and if not provided password verification is skipped; there is no check for input.id === ctx.id (ownership verification). This could result in any authenticated user modifying other users' passwords, direct escalation to superadmin, and complete account takeover. This issue has been patched in version 1.8.4.
Severity ?
CWE
- CWE-288 - Authentication Bypass Using an Alternate Path or Channel
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| blinkospace | blinko |
Affected:
< 1.8.4
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-23480",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-24T14:08:18.666791Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-24T14:08:24.272Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "blinko",
"vendor": "blinkospace",
"versions": [
{
"status": "affected",
"version": "\u003c 1.8.4"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Blinko is an AI-powered card note-taking project. Prior to version 1.8.4, there is a privilege escalation vulnerability. The upsertUser endpoint has 3 issues: it is missing superAdminAuthMiddleware, any logged-in user can call it; the originalPassword is an optional parameter and if not provided password verification is skipped; there is no check for input.id === ctx.id (ownership verification). This could result in any authenticated user modifying other users\u0027 passwords, direct escalation to superadmin, and complete account takeover. This issue has been patched in version 1.8.4."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "LOW"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-288",
"description": "CWE-288: Authentication Bypass Using an Alternate Path or Channel",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-23T20:39:38.784Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/blinkospace/blinko/security/advisories/GHSA-r3mv-q7ww-86p6",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/blinkospace/blinko/security/advisories/GHSA-r3mv-q7ww-86p6"
},
{
"name": "https://github.com/blinkospace/blinko/commit/3afbdf486b6f371bdac5781dea6289749f2c4c03",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/blinkospace/blinko/commit/3afbdf486b6f371bdac5781dea6289749f2c4c03"
},
{
"name": "https://github.com/blinkospace/blinko/releases/tag/1.8.4",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/blinkospace/blinko/releases/tag/1.8.4"
}
],
"source": {
"advisory": "GHSA-r3mv-q7ww-86p6",
"discovery": "UNKNOWN"
},
"title": "Blinko: Low Privilege User Privilege Escalation - upsertUser Endpoint"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-23480",
"datePublished": "2026-03-23T20:39:38.784Z",
"dateReserved": "2026-01-13T15:47:41.627Z",
"dateUpdated": "2026-03-24T14:08:24.272Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23481 (GCVE-0-2026-23481)
Vulnerability from cvelistv5 – Published: 2026-03-23 20:33 – Updated: 2026-03-24 18:45
VLAI?
Title
Blinko: Authenticated Arbitrary File Write - saveAdditionalDevFile
Summary
Blinko is an AI-powered card note-taking project. Prior to version 1.8.4, there is an authenticated arbitrary file write vulnerability in saveAdditionalDevFile. This issue has been patched in version 1.8.4.
Severity ?
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| blinkospace | blinko |
Affected:
< 1.8.4
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-23481",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-24T18:45:35.521223Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-24T18:45:57.927Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "blinko",
"vendor": "blinkospace",
"versions": [
{
"status": "affected",
"version": "\u003c 1.8.4"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Blinko is an AI-powered card note-taking project. Prior to version 1.8.4, there is an authenticated arbitrary file write vulnerability in saveAdditionalDevFile. This issue has been patched in version 1.8.4."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "LOW"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-23T20:33:32.754Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/blinkospace/blinko/security/advisories/GHSA-38hg-8p2j-76g5",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/blinkospace/blinko/security/advisories/GHSA-38hg-8p2j-76g5"
},
{
"name": "https://github.com/blinkospace/blinko/commit/02a4205f1ad22d0e78dc2ab2967b551d0dbd0a06",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/blinkospace/blinko/commit/02a4205f1ad22d0e78dc2ab2967b551d0dbd0a06"
},
{
"name": "https://github.com/blinkospace/blinko/releases/tag/1.8.4",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/blinkospace/blinko/releases/tag/1.8.4"
}
],
"source": {
"advisory": "GHSA-38hg-8p2j-76g5",
"discovery": "UNKNOWN"
},
"title": "Blinko: Authenticated Arbitrary File Write - saveAdditionalDevFile"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-23481",
"datePublished": "2026-03-23T20:33:32.754Z",
"dateReserved": "2026-01-13T15:47:41.627Z",
"dateUpdated": "2026-03-24T18:45:57.927Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23484 (GCVE-0-2026-23484)
Vulnerability from cvelistv5 – Published: 2026-03-23 20:31 – Updated: 2026-03-25 19:11
VLAI?
Title
Blinko: Authenticated Arbitrary File Write - saveDevPlugin
Summary
Blinko is an AI-powered card note-taking project. In versions from 1.8.3 and prior, the fileName parameter is not filtered, allowing path traversal to write files anywhere on the file system. Moreover, this interface only requires authProcedure (normal user), not superAdminAuthMiddleware. At time of publication, there are no publicly available patches.
Severity ?
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| blinkospace | blinko |
Affected:
<= 1.8.3
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-23484",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-25T19:11:14.087711Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-25T19:11:30.801Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "blinko",
"vendor": "blinkospace",
"versions": [
{
"status": "affected",
"version": "\u003c= 1.8.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Blinko is an AI-powered card note-taking project. In versions from 1.8.3 and prior, the fileName parameter is not filtered, allowing path traversal to write files anywhere on the file system. Moreover, this interface only requires authProcedure (normal user), not superAdminAuthMiddleware. At time of publication, there are no publicly available patches."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "LOW"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-23T20:31:19.999Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/blinkospace/blinko/security/advisories/GHSA-7v3f-v6vf-jm9q",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/blinkospace/blinko/security/advisories/GHSA-7v3f-v6vf-jm9q"
}
],
"source": {
"advisory": "GHSA-7v3f-v6vf-jm9q",
"discovery": "UNKNOWN"
},
"title": "Blinko: Authenticated Arbitrary File Write - saveDevPlugin"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-23484",
"datePublished": "2026-03-23T20:31:19.999Z",
"dateReserved": "2026-01-13T15:47:41.628Z",
"dateUpdated": "2026-03-25T19:11:30.801Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23483 (GCVE-0-2026-23483)
Vulnerability from cvelistv5 – Published: 2026-03-23 20:28 – Updated: 2026-03-24 16:03
VLAI?
Title
Blinko: Unauthorized Arbitrary File Read - /plugins
Summary
Blinko is an AI-powered card note-taking project. In versions from 1.8.3 and prior, the plugin file server endpoint uses join() to concatenate paths but does not verify if the final path is within the plugins directory, leading to path traversal. At time of publication, there are no publicly available patches.
Severity ?
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| blinkospace | blinko |
Affected:
<= 1.8.3
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-23483",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-24T16:00:36.751085Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-24T16:03:10.291Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "blinko",
"vendor": "blinkospace",
"versions": [
{
"status": "affected",
"version": "\u003c= 1.8.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Blinko is an AI-powered card note-taking project. In versions from 1.8.3 and prior, the plugin file server endpoint uses join() to concatenate paths but does not verify if the final path is within the plugins directory, leading to path traversal. At time of publication, there are no publicly available patches."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-23T20:28:55.541Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/blinkospace/blinko/security/advisories/GHSA-54c7-9gxh-fg9v",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/blinkospace/blinko/security/advisories/GHSA-54c7-9gxh-fg9v"
}
],
"source": {
"advisory": "GHSA-54c7-9gxh-fg9v",
"discovery": "UNKNOWN"
},
"title": "Blinko: Unauthorized Arbitrary File Read - /plugins"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-23483",
"datePublished": "2026-03-23T20:28:55.541Z",
"dateReserved": "2026-01-13T15:47:41.628Z",
"dateUpdated": "2026-03-24T16:03:10.291Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23482 (GCVE-0-2026-23482)
Vulnerability from cvelistv5 – Published: 2026-03-23 20:25 – Updated: 2026-03-24 13:51
VLAI?
Title
Blinko: Unauthorized Arbitrary File Read - /api/file/temp
Summary
Blinko is an AI-powered card note-taking project. Prior to version 1.8.4, the file server endpoint does not perform permission checks on the temp/ path and does not filter path traversal sequences, allowing unauthorized attackers to read arbitrary files on the server. When scheduled backup tasks are enabled, attackers can read backup files to obtain all user notes and user TOKENS. This issue has been patched in version 1.8.4.
Severity ?
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| blinkospace | blinko |
Affected:
< 1.8.4
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-23482",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-24T13:51:24.976188Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-24T13:51:48.530Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "blinko",
"vendor": "blinkospace",
"versions": [
{
"status": "affected",
"version": "\u003c 1.8.4"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Blinko is an AI-powered card note-taking project. Prior to version 1.8.4, the file server endpoint does not perform permission checks on the temp/ path and does not filter path traversal sequences, allowing unauthorized attackers to read arbitrary files on the server. When scheduled backup tasks are enabled, attackers can read backup files to obtain all user notes and user TOKENS. This issue has been patched in version 1.8.4."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-23T20:25:50.219Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/blinkospace/blinko/security/advisories/GHSA-hrwx-rhrx-f9mm",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/blinkospace/blinko/security/advisories/GHSA-hrwx-rhrx-f9mm"
},
{
"name": "https://github.com/blinkospace/blinko/commit/c48851090767feba431418630c495d90a7da1781",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/blinkospace/blinko/commit/c48851090767feba431418630c495d90a7da1781"
},
{
"name": "https://github.com/blinkospace/blinko/releases/tag/1.8.4",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/blinkospace/blinko/releases/tag/1.8.4"
}
],
"source": {
"advisory": "GHSA-hrwx-rhrx-f9mm",
"discovery": "UNKNOWN"
},
"title": "Blinko: Unauthorized Arbitrary File Read - /api/file/temp"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-23482",
"datePublished": "2026-03-23T20:25:50.219Z",
"dateReserved": "2026-01-13T15:47:41.627Z",
"dateUpdated": "2026-03-24T13:51:48.530Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}