Blinko

Blinko versions before 1.8.4 are vulnerable to OS Command Injection (CWE-78), where the MCP server creation function allows specifying arbitrary commands and arguments that are executed when testing the connection, potentially leading to code execution for attackers with high privileges.

An authenticated user can exploit the Blinko upsertUser endpoint to escalate privileges, modify other users' passwords, and achieve account takeover due to missing authentication and verification checks.