Description
Blinko is an AI-powered card note-taking project. Prior to version 1.8.4, the filePath parameter accepts path traversal sequences, allowing enumeration of file existence on the server via different error responses. This issue has been patched in version 1.8.4.
Published: 2026-03-23
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Information Disclosure via Path Traversal
Action: Immediate Patch
AI Analysis

Impact

Blinko accepts a filePath parameter that does not properly sanitize path traversal sequences. When an attacker sends a crafted file path, the server replies with different error messages depending on whether the specified file exists. This difference allows the adversary to enumerate files on the host. The weakness is a path traversal flaw identified as CWE‑22, exposing confidential or configuration data and enabling subsequent attacks.

Affected Systems

The affected product is Blinko, released by blinkospace. All versions prior to 1.8.4 are vulnerable because the filePath handling was not secured. Users running any pre‑1.8.4 release may unintentionally disclose file existence on their server.

Risk and Exploitability

With a CVSS score of 6.9 the vulnerability presents moderate severity, and its EPSS score of less than 1% indicates a low probability of active exploitation in the wild. It is not listed in the CISA KEV catalog. Attackers can exploit the flaw by issuing HTTP requests to the filePath endpoint with carefully crafted paths and analyzing the error responses to determine which files are present, thereby enabling information disclosure that could facilitate more targeted attacks.

Generated by OpenCVE AI on March 24, 2026 at 20:32 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the official patch to Blinko version 1.8.4 or later.

Generated by OpenCVE AI on March 24, 2026 at 20:32 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 24 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
First Time appeared Blinko
Blinko blinko
CPEs cpe:2.3:a:blinko:blinko:*:*:*:*:*:*:*:*
Vendors & Products Blinko
Blinko blinko
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

Tue, 24 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 24 Mar 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Blinkospace
Blinkospace blinko
Vendors & Products Blinkospace
Blinkospace blinko

Tue, 24 Mar 2026 02:30:00 +0000

Type Values Removed Values Added
Description Blinko is an AI-powered card note-taking project. Prior to version 1.8.4, the filePath parameter accepts path traversal sequences, allowing enumeration of file existence on the server via different error responses. This issue has been patched in version 1.8.4.
Title Blinko: Unauthorized Path Traversal File Enumeration - music-metadata
Weaknesses CWE-22
References
Metrics cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Blinko Blinko
Blinkospace Blinko
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-24T15:13:17.335Z

Reserved: 2026-01-13T15:47:41.628Z

Link: CVE-2026-23485

cve-icon Vulnrichment

Updated: 2026-03-24T14:41:51.453Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-23T21:17:02.840

Modified: 2026-03-24T18:05:18.710

Link: CVE-2026-23485

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T20:36:36Z

Weaknesses