{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-23484", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-01-13T15:47:41.628Z", "datePublished": "2026-03-23T20:31:19.999Z", "dateUpdated": "2026-03-25T19:11:30.801Z"}, "containers": {"cna": {"title": "Blinko: Authenticated Arbitrary File Write - saveDevPlugin", "problemTypes": [{"descriptions": [{"cweId": "CWE-22", "lang": "en", "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/blinkospace/blinko/security/advisories/GHSA-7v3f-v6vf-jm9q", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/blinkospace/blinko/security/advisories/GHSA-7v3f-v6vf-jm9q"}], "affected": [{"vendor": "blinkospace", "product": "blinko", "versions": [{"version": "<= 1.8.3", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-23T20:31:19.999Z"}, "descriptions": [{"lang": "en", "value": "Blinko is an AI-powered card note-taking project. In versions from 1.8.3 and prior, the fileName parameter is not filtered, allowing path traversal to write files anywhere on the file system. Moreover, this interface only requires authProcedure (normal user), not superAdminAuthMiddleware. At time of publication, there are no publicly available patches."}], "source": {"advisory": "GHSA-7v3f-v6vf-jm9q", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-25T19:11:14.087711Z", "id": "CVE-2026-23484", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-25T19:11:30.801Z"}}]}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:blinko:blinko:*:*:*:*:*:*:*:*", "matchCriteriaId": "E1A18F1C-9DE3-41C2-8E99-49F0063FD24C", "versionEndExcluding": "1.8.3", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Blinko is an AI-powered card note-taking project. In versions from 1.8.3 and prior, the fileName parameter is not filtered, allowing path traversal to write files anywhere on the file system. Moreover, this interface only requires authProcedure (normal user), not superAdminAuthMiddleware. At time of publication, there are no publicly available patches."}, {"lang": "es", "value": "Blinko es un proyecto de toma de notas en tarjetas impulsado por IA. En versiones desde la 1.8.3 y anteriores, el par\u00e1metro fileName no est\u00e1 filtrado, lo que permite el salto de ruta para escribir archivos en cualquier lugar del sistema de archivos. Adem\u00e1s, esta interfaz solo requiere authProcedure (usuario normal), no superAdminAuthMiddleware. En el momento de la publicaci\u00f3n, no hay parches disponibles p\u00fablicamente."}], "id": "CVE-2026-23484", "lastModified": "2026-03-24T19:15:09.103", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-23T21:17:02.700", "references": [{"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/blinkospace/blinko/security/advisories/GHSA-7v3f-v6vf-jm9q"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.8.3]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "blinko", "source": "cna", "vendor": "blinkospace"}, "product": "blinko", "vendor": "blinkospace"}], "analysis": {"en": {"generated_at": "2026-03-24T20:44:43.756369+00:00", "value": {"mitigation_remediation": ["Restrict the saveDevPlugin interface to super\u2011admin users or remove it entirely until a patch is released.", "Implement input sanitization for the fileName parameter, rejecting path separators or resolving to a safe directory.", "Monitor logs for unusual fileWrite activity, especially writes to system directories.", "Upgrade Blinko to a newer version once a patch becomes available."], "summary": {"action": "Assess Impact", "impact": "Arbitrary File Write via Path Traversal"}, "threat_synthesis": {"affected_systems": "Blinkospace Blinko, any installations running version 1.8.3 or older. No specific sub\u2011modules are singled out beyond the standard saveDevPlugin feature. The flaw requires only normal user authentication and does not need super\u2011admin rights.", "description_and_impact": "A path\u2011traversal flaw exists in the saveDevPlugin endpoint of Blinko versions 1.8.3 and earlier. An authenticated user can supply an arbitrary fileName value, which the application writes to the file system without any filtering. This allows the user to overwrite or create files at arbitrary locations, potentially including executables or configuration files. The vulnerability is identified as a CWE\u201122 type, and its exploitation could compromise integrity, confidentiality, and availability of the host system.", "risk_and_exploitability": "The CVSS score of 5.3 indicates a moderate risk; the EPSS score of less than 1% suggests low public exploitation likelihood, and the issue is not listed on CISA\u2019s Known Exploited Vulnerabilities catalog. The likely attack vector is an authenticated normal user sending a crafted request to the saveDevPlugin endpoint with a specially formatted fileName that traverses directories (e.g., ../../../../etc/passwd). Because the flaw permits arbitrary file creation, an attacker could overwrite critical system files or place malicious payloads, enabling a wide range of downstream attacks."}}}}, "created": "2026-03-24T10:32:53.138121+00:00", "updated": "2026-03-25T20:36:42.262605+00:00", "vendors": ["blinkospace", "blinkospace$PRODUCT$blinko"]}