CVE-2026-23485

MEDIUM

Blinko: Unauthorized Path Traversal File Enumeration - music-metadata

Title source: cna

Description

Blinko is an AI-powered card note-taking project. Prior to version 1.8.4, the filePath parameter accepts path traversal sequences, allowing enumeration of file existence on the server via different error responses. This issue has been patched in version 1.8.4.

References (3)

[X_Refsource_Confirm] https://github.com/blinkospace/blinko/security/advisories/GHSA-5x64-pmfq-pw7q

[X_Refsource_Misc] https://github.com/blinkospace/blinko/commit/9d6fa80a3e11a99886f90e048657443335fd3e7d

View Writeup ZIP pw:eip

[X_Refsource_Misc] https://github.com/blinkospace/blinko/releases/tag/1.8.4

Scores

CVSS v3 5.3

EPSS 0.0006

EPSS Percentile 18.6%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact partial

Details

CWE

CWE-22

Status published

Products (2)

blinko/blinko < 1.8.4

blinkospace/blinko < 1.8.4

Published Mar 23, 2026

Tracked Since Mar 24, 2026