PT-2026-27216 · Blinko · Blinko

Tx1Ee

·

Publicado

2026-03-23

·

Atualizado

2026-03-23

·

CVE-2026-23488

CVSS v4.0

6.9

Média

VetorAV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
Name of the Vulnerable Software and Affected Versions Blinko versions prior to 1.8.4
Description Blinko, an AI-powered card note-taking project, contains an issue where the comment feature allows unauthorized access. Specifically, the /api/v1/comment/create endpoint permits attackers to post comments on any note, including private ones, without proper authorization. The /api/v1/comment/list endpoint also suffers from this problem, allowing unauthorized viewing of comments on all notes. The vulnerable parameters are not specified.
Recommendations Update to version 1.8.4 or later.

Exploit

Correção

IDOR

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-639

Identificadores relacionados

CVE-2026-23488
GHSA-84HM-VW62-472M

Produtos afetados

Blinko