CVE-2026-23882

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2026-23882

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-23882.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2026-23882

Aliases

GHSA-59r2-82p8-c56v

Published

2026-03-23T20:52:17.200Z

Modified

2026-04-10T05:40:35.121165Z

Severity

8.6 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N CVSS Calculator

Summary

Blinko: Admin RCE - MCP Server Command Injection

Details

Blinko is an AI-powered card note-taking project. Prior to version 1.8.4, the MCP (Model Context Protocol) server creation function allows specifying arbitrary commands and arguments, which are executed when testing the connection. This issue has been patched in version 1.8.4.

Database specific

{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/23xxx/CVE-2026-23882.json",
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-78"
    ]
}

References

Affected packages

Git / github.com/blinkospace/blinko

Affected ranges

Type

GIT

Repo

https://github.com/blinkospace/blinko

Events

Introduced

Fixed

4533af9df6b876fbba5128fb71b9dcdc118abab9

Database specific

{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "1.8.4"
        }
    ]
}

Affected versions

1.*

1.0.0

1.0.0-alpha.4

1.0.0-beta.1

1.0.0-beta.3

1.0.0-rc.1

1.0.0-rc.2

1.0.1

1.0.2

1.0.3

1.0.4

1.0.6

1.0.7

1.4.0

1.5.0

1.5.2

1.5.3

1.5.4

1.5.5

1.6.0

1.6.1

1.6.2

1.6.3

1.6.5

1.6.6

1.7.0

1.7.1

1.8.0

1.8.1

1.8.2

1.8.3

v0.*

v0.21.1

v0.21.14

v0.21.8

v0.23.5

v0.24.0

v0.24.1

v0.24.3

v0.25.0

v0.25.1

v0.25.2

v0.25.3

v0.25.5

v0.25.6

v0.26.0

v0.26.1

v0.26.11

v0.26.12

v0.26.2

v0.26.8

v0.27.0

v0.27.1

v0.27.2

v0.27.6

v0.27.7

v0.28.0

v0.28.1

v0.29.0

v0.29.8

v0.30.2

v0.30.3

v0.30.5

v0.30.6

v0.31.7

v0.31.9

v0.32.0

v0.32.1

v0.32.10

v0.32.12

v0.32.14

v0.32.15

v0.32.16

v0.32.2

v0.32.23

v0.32.3

v0.32.8

v0.33.0

v0.33.1

v0.33.3

v0.34.0

v0.34.12

v0.34.3

v0.34.4

v0.34.6

v0.34.7

v0.35.2

v0.35.7

v0.36.12

v0.36.3

v0.36.6

v0.37.0

v0.37.14

v0.37.16

v0.37.21

v0.37.22

v0.37.3

v0.37.5

v0.37.6

v0.37.8

v0.38.2

v0.38.3

v0.38.5

v0.38.6

v0.39.0

v0.40.5

v0.41.10

v0.41.9

v0.43.4

v0.43.5

v0.43.6

v0.43.7

v0.43.8

v0.44.0

v0.44.1

v0.45.0

v0.45.1

v0.45.3

v0.46.0

v0.46.5

v0.47.1

v0.47.2

v0.47.3

v0.49.1

v0.49.2

v0.49.3

v0.49.4

v0.50.0

v0.51.0

v0.51.1

v0.52.0

v0.52.3

v0.52.4

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-23882.json"