Blinko: Unauthorized Arbitrary File Read - /plugins

Blinko is an AI-powered card note-taking project. In versions from 1.8.3 and prior, the plugin file server endpoint uses join() to concatenate paths but does not verify if the final path is within the plugins directory, leading to path traversal. At time of publication, there are no publicly available patches.

N/A

对路径名的限制不恰当(路径遍历)

Blinko 路径遍历漏洞

Blinko是Blinko开源的一款基于人工智能的卡片式笔记应用，专为想要快速捕捉和整理转瞬即逝的灵感的用户而设计。 Blinko 1.8.3及之前版本存在路径遍历漏洞，该漏洞源于插件文件服务器端点使用join()连接路径但未验证最终路径是否在插件目录内，可能导致路径遍历。

N/A

N/A