CVE-2026-23484

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2026-23484

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-23484.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2026-23484

Aliases

GHSA-7v3f-v6vf-jm9q

Published

2026-03-23T20:31:19.999Z

Modified

2026-04-10T05:40:35.099004Z

Severity

5.3 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N CVSS Calculator

Summary

Blinko: Authenticated Arbitrary File Write - saveDevPlugin

Details

Blinko is an AI-powered card note-taking project. In versions from 1.8.3 and prior, the fileName parameter is not filtered, allowing path traversal to write files anywhere on the file system. Moreover, this interface only requires authProcedure (normal user), not superAdminAuthMiddleware. At time of publication, there are no publicly available patches.

Database specific

{
    "cwe_ids": [
        "CWE-22"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/23xxx/CVE-2026-23484.json",
    "cna_assigner": "GitHub_M"
}

References

Affected packages

Git / github.com/blinkospace/blinko

Affected ranges

Type

GIT

Repo

https://github.com/blinkospace/blinko

Events

Introduced

Last affected

025bef5acfe5d1ebcdbac41d8bdb1a156ba1be87

Database specific

{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "last_affected": "1.8.3"
        }
    ]
}

Affected versions

1.*

1.0.0

1.0.0-alpha.4

1.0.0-beta.1

1.0.0-beta.3

1.0.0-rc.1

1.0.0-rc.2

1.0.1

1.0.2

1.0.3

1.0.4

1.0.6

1.0.7

1.4.0

1.5.0

1.5.2

1.5.3

1.5.4

1.5.5

1.6.0

1.6.1

1.6.2

1.6.3

1.6.5

1.6.6

1.7.0

1.7.1

1.8.0

1.8.1

1.8.2

1.8.3

v0.*

v0.21.1

v0.21.14

v0.21.8

v0.23.5

v0.24.0

v0.24.1

v0.24.3

v0.25.0

v0.25.1

v0.25.2

v0.25.3

v0.25.5

v0.25.6

v0.26.0

v0.26.1

v0.26.11

v0.26.12

v0.26.2

v0.26.8

v0.27.0

v0.27.1

v0.27.2

v0.27.6

v0.27.7

v0.28.0

v0.28.1

v0.29.0

v0.29.8

v0.30.2

v0.30.3

v0.30.5

v0.30.6

v0.31.7

v0.31.9

v0.32.0

v0.32.1

v0.32.10

v0.32.12

v0.32.14

v0.32.15

v0.32.16

v0.32.2

v0.32.23

v0.32.3

v0.32.8

v0.33.0

v0.33.1

v0.33.3

v0.34.0

v0.34.12

v0.34.3

v0.34.4

v0.34.6

v0.34.7

v0.35.2

v0.35.7

v0.36.12

v0.36.3

v0.36.6

v0.37.0

v0.37.14

v0.37.16

v0.37.21

v0.37.22

v0.37.3

v0.37.5

v0.37.6

v0.37.8

v0.38.2

v0.38.3

v0.38.5

v0.38.6

v0.39.0

v0.40.5

v0.41.10

v0.41.9

v0.43.4

v0.43.5

v0.43.6

v0.43.7

v0.43.8

v0.44.0

v0.44.1

v0.45.0

v0.45.1

v0.45.3

v0.46.0

v0.46.5

v0.47.1

v0.47.2

v0.47.3

v0.49.1

v0.49.2

v0.49.3

v0.49.4

v0.50.0

v0.51.0

v0.51.1

v0.52.0

v0.52.3

v0.52.4

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-23484.json"