CVE-2026-23882

UNKNOWN 0.0

Blinko: Admin RCE - MCP Server Command Injection

CVSS Score

0.0

EPSS Score

0.0%

EPSS Percentile

12th

Blinko is an AI-powered card note-taking project. Prior to version 1.8.4, the MCP (Model Context Protocol) server creation function allows specifying arbitrary commands and arguments, which are executed when testing the connection. This issue has been patched in version 1.8.4.

CWE	CWE-78
Vendor	blinkospace
Product	blinko
Published	Mar 23, 2026
Last Updated	Mar 24, 2026

Stay Ahead of the Next One

Get instant alerts for blinkospace blinko

Be the first to know when new unknown vulnerabilities affecting blinkospace blinko are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

blinkospace / blinko

< 1.8.4

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/blinkospace/blinko/security/advisories/GHSA-59r2-82p8-c56v github.com: https://github.com/blinkospace/blinko/commit/bef6b770743e87c630db2d00d7049dabd96bfe85 github.com: https://github.com/blinkospace/blinko/releases/tag/1.8.4