Cyber Resilience

CVE-2026-23482

High

Published: 23 March 2026

Published
23 March 2026
Modified
24 March 2026
KEV Added
Patch
CVSS Score v4 8.2 CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0152 71.4th percentile
Risk Priority 60 floored blend · peak EPSS

Summary

CVE-2026-23482 is a high-severity Path Traversal (CWE-22) vulnerability in Blinko Blinko. Its CVSS base score is 8.2 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 28.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

This vulnerability is AI-related — categorised as Other Platforms; in the Privacy and Disclosure risk domain.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).

Deeper analysis

Blinko, an AI-powered card note-taking application, is affected by a path traversal vulnerability (CWE-22) in its file server endpoint prior to version 1.8.4. The endpoint fails to enforce permission checks on the temp/ directory and does not sanitize path traversal sequences, enabling unauthenticated access to arbitrary server files.

An attacker with network access can exploit this flaw to read any file on the filesystem. When scheduled backup tasks are enabled, this includes backup archives that contain all user notes and authentication tokens, resulting in full account compromise without requiring credentials or user interaction.

The project has released version 1.8.4 to address the issue, with the fix documented in commit c48851090767feba431418630c495d90a7da1781 and the corresponding GitHub security advisory GHSA-hrwx-rhrx-f9mm. Administrators should upgrade immediately and verify that backup files are stored outside the web-accessible temp/ path.

The EPSS score for this CVE rose from a lower baseline to a peak of 0.2046 (current value 0.1671), indicating that exploitation interest increased after public disclosure.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Blinko is an AI-powered card note-taking project. Prior to version 1.8.4, the file server endpoint does not perform permission checks on the temp/ path and does not filter path traversal sequences, allowing unauthorized attackers to read arbitrary files on the…

more

server. When scheduled backup tasks are enabled, attackers can read backup files to obtain all user notes and user TOKENS. This issue has been patched in version 1.8.4.

CWE(s)

AI Security AnalysisAI

AI Category
Other Platforms
Risk Domain
Privacy and Disclosure
OWASP Top 10 for LLMs 2025
None mapped
Classification Reason
Matched keywords: ai

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1005 Data from Local System Collection
Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.
Why these techniques?

Path traversal in public-facing file server endpoint directly enables remote exploitation (T1190) for unauthorized local file reads (T1005).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-23882Same product: Blinko Blinko
CVE-2026-23480Same product: Blinko Blinko
CVE-2025-14301Shared CWE-22
CVE-2025-66687Shared CWE-22
CVE-2025-26753Shared CWE-22
CVE-2025-44177Shared CWE-22
CVE-2023-42226Shared CWE-22
CVE-2026-39859Shared CWE-22
CVE-2024-55457Shared CWE-22
CVE-2025-8343Shared CWE-22

Affected Assets

blinko
blinko
≤ 1.8.4

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Enforces approved authorizations for access to the temp/ path and other files, directly addressing the lack of permission checks in the file server endpoint.

prevent

Requires validation of inputs to the file server endpoint to filter path traversal sequences like '../', preventing unauthorized arbitrary file reads.

prevent

Limits privileges of the file server process to the minimum necessary, reducing the impact of successful path traversal by restricting access to sensitive files like backups.

References