CVE-2026-23485 | THREATINT

Description

Blinko is an AI-powered card note-taking project. Prior to version 1.8.4, the filePath parameter accepts path traversal sequences, allowing enumeration of file existence on the server via different error responses. This issue has been patched in version 1.8.4.

PUBLISHED Reserved 2026-01-13 | Published 2026-03-23 | Updated 2026-03-24 | Assigner GitHub_M

MEDIUM: 6.9CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Problem types

CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Product status

< 1.8.4

affected

References

github.com/...blinko/security/advisories/GHSA-5x64-pmfq-pw7q

github.com/...ommit/9d6fa80a3e11a99886f90e048657443335fd3e7d

github.com/blinkospace/blinko/releases/tag/1.8.4

cve.org (CVE-2026-23485)

nvd.nist.gov (CVE-2026-23485)

Download JSON