CVE-2026-23481

Blinko is an AI-powered card note-taking project. Prior to version 1.8.4, there is an authenticated arbitrary file write vulnerability in saveAdditionalDevFile. This issue has been patched in version 1.8.4.

CVSS v3 6.5 MEDIUM

6.5^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.8 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/blinkospace/blinko/commit/02a4205f1ad22d0e78dc2ab2967b551d0dbd0a06	Patch
https://github.com/blinkospace/blinko/releases/tag/1.8.4	Release Notes
https://github.com/blinkospace/blinko/security/advisories/GHSA-38hg-8p2j-76g5	Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:blinko:blinko:*:*:*:*:*:*:*:*

History

24 Mar 2026, 18:50

Type	Values Removed	Values Added
First Time		Blinko Blinko blinko
Summary		(es) Blinko es un proyecto de toma de notas en tarjetas impulsado por IA. Antes de la versión 1.8.4, existe una vulnerabilidad de escritura arbitraria de archivos autenticada en saveAdditionalDevFile. Este problema ha sido parcheado en la versión 1.8.4.
References	~~() https://github.com/blinkospace/blinko/commit/02a4205f1ad22d0e78dc2ab2967b551d0dbd0a06 -~~	() https://github.com/blinkospace/blinko/commit/02a4205f1ad22d0e78dc2ab2967b551d0dbd0a06 - Patch
References	~~() https://github.com/blinkospace/blinko/releases/tag/1.8.4 -~~	() https://github.com/blinkospace/blinko/releases/tag/1.8.4 - Release Notes
References	~~() https://github.com/blinkospace/blinko/security/advisories/GHSA-38hg-8p2j-76g5 -~~	() https://github.com/blinkospace/blinko/security/advisories/GHSA-38hg-8p2j-76g5 - Vendor Advisory
CPE		cpe:2.3:a:blinko:blinko::::::::
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 6.5

23 Mar 2026, 21:17

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-03-23 21:17

Updated : 2026-03-24 18:50

NVD link : CVE-2026-23481

Mitre link : CVE-2026-23481

CVE.ORG link : CVE-2026-23481

JSON object : View

Products Affected

blinko

blinko

CWE

CWE-22

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

{"id": "CVE-2026-23481", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 2.8}], "cvssMetricV40": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 5.3, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "LOW", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2026-03-23T21:17:02.100", "references": [{"url": "https://github.com/blinkospace/blinko/commit/02a4205f1ad22d0e78dc2ab2967b551d0dbd0a06", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/blinkospace/blinko/releases/tag/1.8.4", "tags": ["Release Notes"], "source": "security-advisories@github.com"}, {"url": "https://github.com/blinkospace/blinko/security/advisories/GHSA-38hg-8p2j-76g5", "tags": ["Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-22"}]}], "descriptions": [{"lang": "en", "value": "Blinko is an AI-powered card note-taking project. Prior to version 1.8.4, there is an authenticated arbitrary file write vulnerability in saveAdditionalDevFile. This issue has been patched in version 1.8.4."}, {"lang": "es", "value": "Blinko es un proyecto de toma de notas en tarjetas impulsado por IA. Antes de la versi\u00f3n 1.8.4, existe una vulnerabilidad de escritura arbitraria de archivos autenticada en saveAdditionalDevFile. Este problema ha sido parcheado en la versi\u00f3n 1.8.4."}], "lastModified": "2026-03-24T18:50:03.907", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:blinko:blinko:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "31941A3D-C688-40DF-AA55-1AF9056275D0", "versionEndExcluding": "1.8.4"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}