CVE-2026-23482

HIGH8.2

Public PoC

Description

Blinko is an AI-powered card note-taking project. Prior to version 1.8.4, the file server endpoint does not perform permission checks on the temp/ path and does not filter path traversal sequences, allowing unauthorized attackers to read arbitrary files on the server. When scheduled backup tasks are enabled, attackers can read backup files to obtain all user notes and user TOKENS. This issue has been patched in version 1.8.4.

CVSS breakdown

CVSS 4.0

Attack Vector

Network

Attack Complexity

Low

Attack Requirements

Present

Privileges Required

None

User Interaction

None

Confidentiality (Vulnerable System)

High

Integrity (Vulnerable System)

None

Availability (Vulnerable System)

None

Confidentiality (Subsequent System)

None

Integrity (Subsequent System)

None

Availability (Subsequent System)

None

Affected products

blinkospace / blinko< 1.8.4 – < 1.8.4

Exploits & PoCs

nucleiBlinko < 1.8.4 - Path Traversalby tx1ee

References

VENDOR_ADVISORYhttps://github.com/blinkospace/blinko/security/advisories/GHSA-hrwx-rhrx-f9mm
PATCHhttps://github.com/blinkospace/blinko/commit/c48851090767feba431418630c495d90a7da1781
PATCHhttps://github.com/blinkospace/blinko/releases/tag/1.8.4