cbcvebase.
CVE-2026-23482
published 2026-03-23

CVE-2026-23482: Blinko is an AI-powered card note-taking project. Prior to version 1.8.4, the file server endpoint does not perform permission checks on the temp/ path and…

PriorityP258high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
EXPLOIT
EPSS
1.52%
71.5th percentile
Blinko is an AI-powered card note-taking project. Prior to version 1.8.4, the file server endpoint does not perform permission checks on the temp/ path and does not filter path traversal sequences, allowing unauthorized attackers to read arbitrary files on the server. When scheduled backup tasks are enabled, attackers can read backup files to obtain all user notes and user TOKENS. This issue has been patched in version 1.8.4.

Affected

2 ranges
VendorProductVersion rangeFixed in
blinkoblinko< 1.8.41.8.4
blinkospaceblinko< 1.8.41.8.4

Detection & IOCsextracted from sources · hover to see the quote

path/api/file/temp/..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd
path/api/file/temp/
yara
rule CVE_2026_23482_Blinko_PathTraversal { strings: $traversal = "/api/file/temp/" $encoded = "..%2F" condition: $traversal and $encoded }
  • Detect unauthenticated GET requests to /api/file/temp/ containing URL-encoded path traversal sequences (..%2F) targeting arbitrary files such as /etc/passwd
  • A successful exploit returns HTTP 200 with a body matching root:.*:0:0: — monitor for this pattern in responses to /api/file/temp/ requests
  • Fingerprint Blinko instances via FOFA icon hashes before scanning; confirmed Blinko hosts can be identified by icon_hash=-1446811182 or icon_hash=-717082057
  • Exploit requires no authentication (PR:N, UI:N); any unauthenticated request to the vulnerable path is sufficient — alert on anonymous access to /api/file/temp/ with traversal patterns
  • When scheduled backup tasks are enabled, attackers may target backup files under the temp/ path to harvest all user notes and authentication tokens — monitor for backup file reads via this endpoint
  • ·The vulnerability only affects Blinko versions prior to 1.8.4; instances already patched to 1.8.4+ are not exploitable via this path traversal
  • ·Backup-file exposure (notes + tokens) is conditional on the scheduled backup feature being enabled on the target instance

CVSS provenance

nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv4.08.2HIGHCVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.