CVE-2026-23483

MEDIUM NUCLEI

Blinko: Unauthorized Arbitrary File Read - /plugins

Title source: cna

Exploitation Summary

CVE-2026-23483 has a Nuclei detection template available — see the Nuclei card below for the Shodan/FOFA recon queries.

Description

Blinko is an AI-powered card note-taking project. In versions from 1.8.3 and prior, the plugin file server endpoint uses join() to concatenate paths but does not verify if the final path is within the plugins directory, leading to path traversal. At time of publication, there are no publicly available patches.

Nuclei Templates (1)

Blinko <= 1.8.3 - Path Traversal via /plugins

MEDIUMVERIFIEDby tx1ee

FOFA: icon_hash="-1446811182" || icon_hash="-717082057"

References (1)

Core 1

Core References

X_Refsource_Confirm x_refsource_confirm

https://github.com/blinkospace/blinko/security/advisories/GHSA-54c7-9gxh-fg9v

Scores

CVSS v3 5.3

EPSS 0.0215

EPSS Percentile 84.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact partial

Details

CWE

CWE-22

Status published

Products (2)

blinko/blinko < 1.8.3

blinkospace/blinko <= 1.8.3

Published Mar 23, 2026

Tracked Since Mar 24, 2026