5.1
CVE-2025-60948 - Census CSWeb stored XSS
Census CSWeb 8.0.1 allows stored cross-site scripting in user supplied fields. A remote, authenticated attacker could store malicious javascript that executes in a victim's browser. Fixed in 8.1.0 alpha.
8.7
CVE-2025-60947 - Census CSWeb arbitrary file upload
Census CSWeb 8.0.1 allows arbitrary file upload. A remote, authenticated attacker could upload a malicious file, possibly leading to remote code execution. Fixed in 8.1.0 alpha.
8.7
CVE-2025-60946 - Census CSWeb path traversal
Census CSWeb 8.0.1 allows arbitrary file path input. A remote, authenticated attacker could access unintended file directories. Fixed in 8.1.0 alpha.
8.6
CVE-2026-23882 - Blinko: Admin RCE - MCP Server Command Injection
Blinko is an AI-powered card note-taking project. Prior to version 1.8.4, the MCP (Model Context Protocol) server creation function allows specifying arbitrary commands and arguments, which are executed when testing the connection. This issue has been patched in version 1.8.4.
6.9
CVE-2026-23485 - Blinko: Unauthorized Path Traversal File Enumeration - music-metadata
Blinko is an AI-powered card note-taking project. Prior to version 1.8.4, the filePath parameter accepts path traversal sequences, allowing enumeration of file existence on the server via different error responses. This issue has been patched in version 1.8.4.
6.9
CVE-2026-23488 - Blinko: multiple interfaces in the comment feature allow unauthorized access
Blinko is an AI-powered card note-taking project. Prior to version 1.8.4, the /api/v1/comment/create endpoint has an unauthorized access vulnerability, allowing attackers to post comments on any note (including private notes) without authorization, even if the note has not been publicly shared. Theβ¦
6
CVE-2026-23487 - Blinko: IDOR - user.detail Endpoint Leaks Superadmin Token
Blinko is an AI-powered card note-taking project. Prior to version 1.8.4, there is an IDOR vulnerability where user.detail Endpoint Leaks the Superadmin Token. This issue has been patched in version 1.8.4.
6.9
CVE-2026-23486 - Blinko: Unauthorized User Information Leak
Blinko is an AI-powered card note-taking project. Prior to version 1.8.4, a publicly accessible endpoint exposes all user information, including usernames, roles, and account creation dates. This issue has been patched in version 1.8.4.
5.3
CVE-2026-23480 - Blinko: Low Privilege User Privilege Escalation - upsertUser Endpoint
Blinko is an AI-powered card note-taking project. Prior to version 1.8.4, there is a privilege escalation vulnerability. The upsertUser endpoint has 3 issues: it is missing superAdminAuthMiddleware, any logged-in user can call it; the originalPassword is an optional parameter and if not provided paβ¦
5.3
CVE-2026-23481 - Blinko: Authenticated Arbitrary File Write - saveAdditionalDevFile
Blinko is an AI-powered card note-taking project. Prior to version 1.8.4, there is an authenticated arbitrary file write vulnerability in saveAdditionalDevFile. This issue has been patched in version 1.8.4.