Latest CVE Feed

  1. Home
  2. Vulnerabilities
  3. Latest
CVE Intelligence

Vulnerabilities published in the last 30 days. Filter by severity, exploit status, or attack vector.

All Critical Actively Exploited Remotely Exploitable
Last Updated Published CVSS Score
Score
Vulnerability
Published
8.6 HIGH
CVE-2026-23882 — Blinko: Admin RCE - MCP Server Command Injection

Blinko is an AI-powered card note-taking project. Prior to version 1.8.4, the MCP (Model Context Protocol) server creation function allows specifying arbitrary commands and arguments, which are execu…

blinko | Remote | Injection
Mar 23, 2026 Mar 24, 2026
Mar 23, 2026
Mar 24, 2026
6.9 MEDIUM
CVE-2026-23488 — Blinko: multiple interfaces in the comment feature allow unauthorized access

Blinko is an AI-powered card note-taking project. Prior to version 1.8.4, the /api/v1/comment/create endpoint has an unauthorized access vulnerability, allowing attackers to post comments on any note…

blinko | Remote | Authorization
Mar 23, 2026 Mar 24, 2026
Mar 23, 2026
Mar 24, 2026
6.5 MEDIUM
CVE-2026-23487 — Blinko: IDOR - user.detail Endpoint Leaks Superadmin Token

Blinko is an AI-powered card note-taking project. Prior to version 1.8.4, there is an IDOR vulnerability where user.detail Endpoint Leaks the Superadmin Token. This issue has been patched in version …

blinko | Remote | Authorization
Mar 23, 2026 Mar 24, 2026
Mar 23, 2026
Mar 24, 2026
6.9 MEDIUM
CVE-2026-23486 — Blinko: Unauthorized User Information Leak

Blinko is an AI-powered card note-taking project. Prior to version 1.8.4, a publicly accessible endpoint exposes all user information, including usernames, roles, and account creation dates. This iss…

blinko | Remote | Information Disclosure
Mar 23, 2026 Mar 24, 2026
Mar 23, 2026
Mar 24, 2026
6.9 MEDIUM
CVE-2026-23485 — Blinko: Unauthorized Path Traversal File Enumeration - music-metadata

Blinko is an AI-powered card note-taking project. Prior to version 1.8.4, the filePath parameter accepts path traversal sequences, allowing enumeration of file existence on the server via different e…

blinko | Remote | Path Traversal
Mar 23, 2026 Mar 24, 2026
Mar 23, 2026
Mar 24, 2026
6.5 MEDIUM
CVE-2026-23484 — Blinko: Authenticated Arbitrary File Write - saveDevPlugin

Blinko is an AI-powered card note-taking project. In versions from 1.8.3 and prior, the fileName parameter is not filtered, allowing path traversal to write files anywhere on the file system. Moreove…

blinko | Remote | Path Traversal
Mar 23, 2026 Mar 24, 2026
Mar 23, 2026
Mar 24, 2026
6.9 MEDIUM
CVE-2026-23483 — Blinko: Unauthorized Arbitrary File Read - /plugins

Blinko is an AI-powered card note-taking project. In versions from 1.8.3 and prior, the plugin file server endpoint uses join() to concatenate paths but does not verify if the final path is within th…

blinko | Remote | Path Traversal
Mar 23, 2026 Mar 24, 2026
Mar 23, 2026
Mar 24, 2026
8.2 HIGH
CVE-2026-23482 — Blinko: Unauthorized Arbitrary File Read - /api/file/temp

Blinko is an AI-powered card note-taking project. Prior to version 1.8.4, the file server endpoint does not perform permission checks on the temp/ path and does not filter path traversal sequences, a…

blinko | Remote | Path Traversal
Mar 23, 2026 Mar 24, 2026
Mar 23, 2026
Mar 24, 2026
6.5 MEDIUM
CVE-2026-23481 — Blinko: Authenticated Arbitrary File Write - saveAdditionalDevFile

Blinko is an AI-powered card note-taking project. Prior to version 1.8.4, there is an authenticated arbitrary file write vulnerability in saveAdditionalDevFile. This issue has been patched in version…

blinko | Remote | Path Traversal
Mar 23, 2026 Mar 24, 2026
Mar 23, 2026
Mar 24, 2026
8.8 HIGH
CVE-2026-23480 — Blinko: Low Privilege User Privilege Escalation - upsertUser Endpoint

Blinko is an AI-powered card note-taking project. Prior to version 1.8.4, there is a privilege escalation vulnerability. The upsertUser endpoint has 3 issues: it is missing superAdminAuthMiddleware, …

blinko | Remote | Authentication
Mar 23, 2026 Mar 24, 2026
Mar 23, 2026
Mar 24, 2026
Showing 20 of 6470 Results