Description
Blinko is an AI-powered card note-taking project. Prior to version 1.8.4, the MCP (Model Context Protocol) server creation function allows specifying arbitrary commands and arguments, which are executed when testing the connection. This issue has been patched in version 1.8.4.
References (3)
Core 3
Core References
X_Refsource_Confirm x_refsource_confirm
https://github.com/blinkospace/blinko/security/advisories/GHSA-59r2-82p8-c56v
X_Refsource_Misc x_refsource_misc
https://github.com/blinkospace/blinko/commit/bef6b770743e87c630db2d00d7049dabd96bfe85
X_Refsource_Misc x_refsource_misc
https://github.com/blinkospace/blinko/releases/tag/1.8.4
Scores
CVSS v3
7.2
EPSS
0.0036
EPSS Percentile
27.9%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
total
Details
CWE
CWE-78
Status
published
Products (2)
blinko/blinko
< 1.8.4
blinkospace/blinko
< 1.8.4
Published
Mar 23, 2026
Tracked Since
Mar 24, 2026