cbcvebase.

Blinkospace Blinko vulnerabilities

10 known vulnerabilities affecting blinkospace/blinko.

Total CVEs
10
CISA KEV
0
Public exploits
3
Exploited in wild
0
Severity breakdown
HIGH3MEDIUM7

Vulnerabilities

Page 1 of 1
CVE-2026-23482P2HIGHCVSS 7.5PoCfixed in 1.8.42026-03-23
CVE-2026-23482 [HIGH] CWE-22 CVE-2026-23482: Blinko is an AI-powered card note-taking project. Prior to version 1.8.4, the file server endpoint d Blinko is an AI-powered card note-taking project. Prior to version 1.8.4, the file server endpoint does not perform permission checks on the temp/ path and does not filter path traversal sequences, allowing unauthorized attackers to read arbitrary files on the server. When scheduled backup tasks are enabled, attackers can read backup files to obtain al
nvd
CVE-2026-23483P3MEDIUMCVSS 5.3PoC≤ 1.8.32026-03-23
CVE-2026-23483 [MEDIUM] CWE-22 CVE-2026-23483: Blinko is an AI-powered card note-taking project. In versions from 1.8.3 and prior, the plugin file Blinko is an AI-powered card note-taking project. In versions from 1.8.3 and prior, the plugin file server endpoint uses join() to concatenate paths but does not verify if the final path is within the plugins directory, leading to path traversal. At time of publication, there are no publicly available patches.
nvd
CVE-2026-23480P3HIGHCVSS 8.8fixed in 1.8.42026-03-23
CVE-2026-23480 [HIGH] CWE-288 CVE-2026-23480: Blinko is an AI-powered card note-taking project. Prior to version 1.8.4, there is a privilege escal Blinko is an AI-powered card note-taking project. Prior to version 1.8.4, there is a privilege escalation vulnerability. The upsertUser endpoint has 3 issues: it is missing superAdminAuthMiddleware, any logged-in user can call it; the originalPassword is an optional parameter and if not provided password verification is skipped; there is no check for
nvd
CVE-2026-23486P3MEDIUMCVSS 5.3PoCfixed in 1.8.42026-03-23
CVE-2026-23486 [MEDIUM] CWE-200 CVE-2026-23486: Blinko is an AI-powered card note-taking project. Prior to version 1.8.4, a publicly accessible endp Blinko is an AI-powered card note-taking project. Prior to version 1.8.4, a publicly accessible endpoint exposes all user information, including usernames, roles, and account creation dates. This issue has been patched in version 1.8.4.
nvd
CVE-2026-23882P3HIGHCVSS 7.2fixed in 1.8.42026-03-23
CVE-2026-23882 [HIGH] CWE-78 CVE-2026-23882: Blinko is an AI-powered card note-taking project. Prior to version 1.8.4, the MCP (Model Context Pro Blinko is an AI-powered card note-taking project. Prior to version 1.8.4, the MCP (Model Context Protocol) server creation function allows specifying arbitrary commands and arguments, which are executed when testing the connection. This issue has been patched in version 1.8.4.
nvd
CVE-2026-23484P3MEDIUMCVSS 6.5≤ 1.8.32026-03-23
CVE-2026-23484 [MEDIUM] CWE-22 CVE-2026-23484: Blinko is an AI-powered card note-taking project. In versions from 1.8.3 and prior, the fileName par Blinko is an AI-powered card note-taking project. In versions from 1.8.3 and prior, the fileName parameter is not filtered, allowing path traversal to write files anywhere on the file system. Moreover, this interface only requires authProcedure (normal user), not superAdminAuthMiddleware. At time of publication, there are no publicly available patche
nvd
CVE-2026-23481P3MEDIUMCVSS 6.5fixed in 1.8.42026-03-23
CVE-2026-23481 [MEDIUM] CWE-22 CVE-2026-23481: Blinko is an AI-powered card note-taking project. Prior to version 1.8.4, there is an authenticated Blinko is an AI-powered card note-taking project. Prior to version 1.8.4, there is an authenticated arbitrary file write vulnerability in saveAdditionalDevFile. This issue has been patched in version 1.8.4.
nvd
CVE-2026-23487P3MEDIUMCVSS 6.5fixed in 1.8.42026-03-23
CVE-2026-23487 [MEDIUM] CWE-639 CVE-2026-23487: Blinko is an AI-powered card note-taking project. Prior to version 1.8.4, there is an IDOR vulnerabi Blinko is an AI-powered card note-taking project. Prior to version 1.8.4, there is an IDOR vulnerability where user.detail Endpoint Leaks the Superadmin Token. This issue has been patched in version 1.8.4.
nvd
CVE-2026-23488P4MEDIUMCVSS 5.3fixed in 1.8.42026-03-23
CVE-2026-23488 [MEDIUM] CWE-639 CVE-2026-23488: Blinko is an AI-powered card note-taking project. Prior to version 1.8.4, the /api/v1/comment/create Blinko is an AI-powered card note-taking project. Prior to version 1.8.4, the /api/v1/comment/create endpoint has an unauthorized access vulnerability, allowing attackers to post comments on any note (including private notes) without authorization, even if the note has not been publicly shared. The /api/v1/comment/list endpoint has the same issue, a
nvd
CVE-2026-23485P4MEDIUMCVSS 5.3fixed in 1.8.42026-03-23
CVE-2026-23485 [MEDIUM] CWE-22 CVE-2026-23485: Blinko is an AI-powered card note-taking project. Prior to version 1.8.4, the filePath parameter acc Blinko is an AI-powered card note-taking project. Prior to version 1.8.4, the filePath parameter accepts path traversal sequences, allowing enumeration of file existence on the server via different error responses. This issue has been patched in version 1.8.4.
nvd
Blinkospace Blinko vulnerabilities | cvebase