Description
Blinko is an AI-powered card note-taking project. Prior to version 1.8.4, there is an authenticated arbitrary file write vulnerability in saveAdditionalDevFile. This issue has been patched in version 1.8.4.
Published: 2026-03-23
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Authenticated arbitrary file write
Action: Patch
AI Analysis

Impact

The flaw resides in the Blinko component saveAdditionalDevFile, permitting an authenticated user to write files to arbitrary paths. This can lead to the overwriting or creation of files that the application depends on, potentially disrupting functionality or providing a foothold for further malicious actions. The weakness is a classic absolute path traversal (CWE‑22).

Affected Systems

Blinko, provided by blinkospace, affected in all releases prior to version 1.8.4. Any deployment using an earlier version is vulnerable.

Risk and Exploitability

The vulnerability scores a CVSS of 5.3, indicating moderate severity. The EPSS score is below 1 %, suggesting a low likelihood of exploitation in the wild, and it is not listed in the CISA KEV catalog. Exploitation requires the attacker to be authenticated within the Blinko environment; no public exploit has been disclosed. Attackers with legitimate access could craft file names that redirect writes to critical locations, thereby degrading data integrity or enabling persistence.

Generated by OpenCVE AI on March 24, 2026 at 20:44 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply Blinko version 1.8.4 or later, which contains the fix for the saveAdditionalDevFile file‑write issue.

Generated by OpenCVE AI on March 24, 2026 at 20:44 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 24 Mar 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 24 Mar 2026 19:00:00 +0000

Type Values Removed Values Added
First Time appeared Blinko
Blinko blinko
CPEs cpe:2.3:a:blinko:blinko:*:*:*:*:*:*:*:*
Vendors & Products Blinko
Blinko blinko
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N'}

Tue, 24 Mar 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Blinkospace
Blinkospace blinko
Vendors & Products Blinkospace
Blinkospace blinko

Tue, 24 Mar 2026 02:30:00 +0000

Type Values Removed Values Added
Description Blinko is an AI-powered card note-taking project. Prior to version 1.8.4, there is an authenticated arbitrary file write vulnerability in saveAdditionalDevFile. This issue has been patched in version 1.8.4.
Title Blinko: Authenticated Arbitrary File Write - saveAdditionalDevFile
Weaknesses CWE-22
References
Metrics cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Blinko Blinko
Blinkospace Blinko
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-24T18:45:57.927Z

Reserved: 2026-01-13T15:47:41.627Z

Link: CVE-2026-23481

cve-icon Vulnrichment

Updated: 2026-03-24T18:45:53.918Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-23T21:17:02.100

Modified: 2026-03-24T18:50:03.907

Link: CVE-2026-23481

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T20:36:41Z

Weaknesses