CVE-2026-23882

EUVD-2026-14545
Blinko is an AI-powered card note-taking project. Prior to version 1.8.4, the MCP (Model Context Protocol) server creation function allows specifying arbitrary commands and arguments, which are executed when testing the connection. This issue has been patched in version 1.8.4.
OS Command Injection
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
7.2 HIGH
NETWORK
LOW
HIGH
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: Unknown
Affected Products (NVD)
VendorProductVersion
blinkoblinko
𝑥
< 1.8.4
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://github.com/blinkospace/blinko/commit/bef6b770743e87c630db2d00d7049dabd96bfe85
https://github.com/blinkospace/blinko/releases/tag/1.8.4
https://github.com/blinkospace/blinko/security/advisories/GHSA-59r2-82p8-c56v