Description
Blinko is an AI-powered card note-taking project. In versions from 1.8.3 and prior, the fileName parameter is not filtered, allowing path traversal to write files anywhere on the file system. Moreover, this interface only requires authProcedure (normal user), not superAdminAuthMiddleware. At time of publication, there are no publicly available patches.
Published: 2026-03-23
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Arbitrary File Write via Path Traversal
Action: Assess Impact
AI Analysis

Impact

A path‑traversal flaw exists in the saveDevPlugin endpoint of Blinko versions 1.8.3 and earlier. An authenticated user can supply an arbitrary fileName value, which the application writes to the file system without any filtering. This allows the user to overwrite or create files at arbitrary locations, potentially including executables or configuration files. The vulnerability is identified as a CWE‑22 type, and its exploitation could compromise integrity, confidentiality, and availability of the host system.

Affected Systems

Blinkospace Blinko, any installations running version 1.8.3 or older. No specific sub‑modules are singled out beyond the standard saveDevPlugin feature. The flaw requires only normal user authentication and does not need super‑admin rights.

Risk and Exploitability

The CVSS score of 5.3 indicates a moderate risk; the EPSS score of less than 1% suggests low public exploitation likelihood, and the issue is not listed on CISA’s Known Exploited Vulnerabilities catalog. The likely attack vector is an authenticated normal user sending a crafted request to the saveDevPlugin endpoint with a specially formatted fileName that traverses directories (e.g., ../../../../etc/passwd). Because the flaw permits arbitrary file creation, an attacker could overwrite critical system files or place malicious payloads, enabling a wide range of downstream attacks.

Generated by OpenCVE AI on March 24, 2026 at 20:44 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Restrict the saveDevPlugin interface to super‑admin users or remove it entirely until a patch is released.
  • Implement input sanitization for the fileName parameter, rejecting path separators or resolving to a safe directory.
  • Monitor logs for unusual fileWrite activity, especially writes to system directories.
  • Upgrade Blinko to a newer version once a patch becomes available.

Generated by OpenCVE AI on March 24, 2026 at 20:44 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 24 Mar 2026 19:15:00 +0000

Type Values Removed Values Added
First Time appeared Blinko
Blinko blinko
CPEs cpe:2.3:a:blinko:blinko:*:*:*:*:*:*:*:*
Vendors & Products Blinko
Blinko blinko
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N'}

Tue, 24 Mar 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Blinkospace
Blinkospace blinko
Vendors & Products Blinkospace
Blinkospace blinko

Tue, 24 Mar 2026 02:30:00 +0000

Type Values Removed Values Added
Description Blinko is an AI-powered card note-taking project. In versions from 1.8.3 and prior, the fileName parameter is not filtered, allowing path traversal to write files anywhere on the file system. Moreover, this interface only requires authProcedure (normal user), not superAdminAuthMiddleware. At time of publication, there are no publicly available patches.
Title Blinko: Authenticated Arbitrary File Write - saveDevPlugin
Weaknesses CWE-22
References
Metrics cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Blinko Blinko
Blinkospace Blinko
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-25T19:11:30.801Z

Reserved: 2026-01-13T15:47:41.628Z

Link: CVE-2026-23484

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-03-23T21:17:02.700

Modified: 2026-03-24T19:15:09.103

Link: CVE-2026-23484

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T20:36:42Z

Weaknesses