CVE-2026-23485

Blinko is an AI-powered card note-taking project. Prior to version 1.8.4, the filePath parameter accepts path traversal sequences, allowing enumeration of file existence on the server via different error responses. This issue has been patched in version 1.8.4.

CVSS v3 5.3 MEDIUM

5.3^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 3.9 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/blinkospace/blinko/commit/9d6fa80a3e11a99886f90e048657443335fd3e7d	Patch
https://github.com/blinkospace/blinko/releases/tag/1.8.4	Release Notes
https://github.com/blinkospace/blinko/security/advisories/GHSA-5x64-pmfq-pw7q	Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:blinko:blinko:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2026-03-23 21:17

Updated : 2026-03-24 18:05

NVD link : CVE-2026-23485

Mitre link : CVE-2026-23485

CVE.ORG link : CVE-2026-23485

JSON object : View

Products Affected

blinko

blinko

CWE

CWE-22

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

{"id": "CVE-2026-23485", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 1.4, "exploitabilityScore": 3.9}], "cvssMetricV40": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 6.9, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2026-03-23T21:17:02.840", "references": [{"url": "https://github.com/blinkospace/blinko/commit/9d6fa80a3e11a99886f90e048657443335fd3e7d", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/blinkospace/blinko/releases/tag/1.8.4", "tags": ["Release Notes"], "source": "security-advisories@github.com"}, {"url": "https://github.com/blinkospace/blinko/security/advisories/GHSA-5x64-pmfq-pw7q", "tags": ["Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-22"}]}], "descriptions": [{"lang": "en", "value": "Blinko is an AI-powered card note-taking project. Prior to version 1.8.4, the filePath parameter accepts path traversal sequences, allowing enumeration of file existence on the server via different error responses. This issue has been patched in version 1.8.4."}, {"lang": "es", "value": "Blinko es un proyecto de toma de notas en tarjetas impulsado por IA. Antes de la versi\u00f3n 1.8.4, el par\u00e1metro filePath acepta secuencias de salto de ruta, permitiendo la enumeraci\u00f3n de la existencia de archivos en el servidor a trav\u00e9s de diferentes respuestas de error. Este problema ha sido parcheado en la versi\u00f3n 1.8.4."}], "lastModified": "2026-03-24T18:05:18.710", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:blinko:blinko:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "31941A3D-C688-40DF-AA55-1AF9056275D0", "versionEndExcluding": "1.8.4"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}