CVE-2026-23482

UNKNOWN 0.0

Blinko: Unauthorized Arbitrary File Read - /api/file/temp

CVSS Score

0.0

EPSS Score

0.0%

EPSS Percentile

4th

Blinko is an AI-powered card note-taking project. Prior to version 1.8.4, the file server endpoint does not perform permission checks on the temp/ path and does not filter path traversal sequences, allowing unauthorized attackers to read arbitrary files on the server. When scheduled backup tasks are enabled, attackers can read backup files to obtain all user notes and user TOKENS. This issue has been patched in version 1.8.4.

CWE	CWE-22
Vendor	blinkospace
Product	blinko
Published	Mar 23, 2026
Last Updated	Mar 24, 2026

Stay Ahead of the Next One

Get instant alerts for blinkospace blinko

Be the first to know when new unknown vulnerabilities affecting blinkospace blinko are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

blinkospace / blinko

< 1.8.4

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/blinkospace/blinko/security/advisories/GHSA-hrwx-rhrx-f9mm github.com: https://github.com/blinkospace/blinko/commit/c48851090767feba431418630c495d90a7da1781 github.com: https://github.com/blinkospace/blinko/releases/tag/1.8.4