CVE-2026-23483

Name of the Vulnerable Software and Affected Versions Blinko versions prior to 1.8.3

Description Blinko is an AI-powered card note-taking project. The plugin file server endpoint uses the join() function to concatenate paths but does not verify if the final path is within the plugins directory, leading to a path traversal issue. The vulnerable API endpoint is the plugin file server endpoint. The join() function is used to concatenate paths without proper validation.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.