Blinko’s plugin file server endpoint concatenates paths using join() without validating that the resolved location remains within the plugins directory, enabling attackers to supply a crafted request and read arbitrary files on the host filesystem. The vulnerability can disclose sensitive data, credentials, or configuration files, thereby compromising confidentiality and potentially enabling further compromise. This weakness corresponds to unchecked path traversal (CWE‑22).

The issue affects blinkospace blinko versions 1.8.3 and earlier. End‑users running these releases are vulnerable through the publicly accessible /plugins endpoint. No specific hardware or operating system combinations were identified, but any environment running the affected BlinkO application is susceptible until upgraded.

The severity reflected in a CVSS score of 6.9 indicates moderate impact, yet the EPSS score of 2% signals a low likelihood of exploitation in the wild at present. The vulnerability is not listed in CISA’s KEV catalog, implying that no large‑scale attacks have been documented. Based on the description, the likely attack vector is remote via a crafted HTTP request to the plugin endpoint; the attacker does not require elevated privileges but must be able to reach the BlinkO instance over the network. Until a patch is published, the risk remains theoretical but could be mitigated by restricting external access to the relevant endpoint or disabling the plugin feature entirely.