CVE-2026-23882 | THREATINT

Description

Blinko is an AI-powered card note-taking project. Prior to version 1.8.4, the MCP (Model Context Protocol) server creation function allows specifying arbitrary commands and arguments, which are executed when testing the connection. This issue has been patched in version 1.8.4.

PUBLISHED Reserved 2026-01-16 | Published 2026-03-23 | Updated 2026-03-24 | Assigner GitHub_M

HIGH: 8.6CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Problem types

CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

Product status

< 1.8.4

affected

References

github.com/...blinko/security/advisories/GHSA-59r2-82p8-c56v

github.com/...ommit/bef6b770743e87c630db2d00d7049dabd96bfe85

github.com/blinkospace/blinko/releases/tag/1.8.4

cve.org (CVE-2026-23882)

nvd.nist.gov (CVE-2026-23882)

Download JSON