Severity by source
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
AC:H reflects the dual requirement of Anki running and a non-PNA browser; UI:R for mandatory malicious-site visit; no availability impact evident from the description.
Primary rating from Vendor (GitHub_M).
CVSS VectorVendor: GitHub_M
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2Blast Radius
ecosystem impact- 1 pypi packages depend on aqt (1 direct, 0 indirect)
Ecosystem-wide dependent count for version 25.9.3.
DescriptionCVE.org
Anki is a program for creating and reviewing flashcards. Prior to 25.09.3, Anki launches a local HTTP server to serve media files and web pages for parts of its interface, but requests from other origins were not sufficiently blocked. A malicious website could potentially trigger side-effecting requests to the local server, with severity varying by browser depending on Private Network Access protections. This issue is fixed in version 25.09.3.
AnalysisAI
Cross-origin request forgery against Anki's local HTTP server allows a malicious website to trigger unauthorized side-effecting requests to the application while it is running on the victim's machine. All Anki versions prior to 25.09.3 are affected (CPE: cpe:2.3:a:ankitects:anki:*:*:*:*:*:*:*:*). …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires three concurrent conditions: (1) the victim must have Anki open and its local HTTP server actively running at the time of the attack; (2) the victim must visit an attacker-controlled webpage in the same browser session; (3) the victim's browser must not enforce Private Network Access (PNA) protections - browsers such as recent Chromium releases with PNA enabled will block the cross-origin localhost request with a preflight rejection, defeating the attack. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 4.0 score of 2.1 with vector CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N accurately reflects a low-priority finding. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A victim with Anki running visits an attacker-controlled webpage. The page's JavaScript issues fetch requests targeting the Anki local HTTP server (typically on localhost with a fixed or discoverable port). … |
| Remediation | Vendor-released patch: 25.09.3. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
An arbitrary script execution vulnerability exists in the MPV functionality of Ankitects Anki 24.04. Rated high severity
An reflected XSS vulnerability exists in the handling of invalid paths in the Flask server in Ankitects Anki 24.04. Rate
An vulnerability in the handling of Latex exists in Ankitects Anki 24.04. Rated medium severity (CVSS 6.5), this vulnera
A blocklist bypass vulnerability exists in the LaTeX functionality of Ankitects Anki 24.04. Rated medium severity (CVSS
Arbitrary file read and exfiltration in Anki prior to 25.09.4 allows a remote attacker to access sensitive files on a vi
An issue was discovered in Ankitects Anki through 25.02. Rated medium severity (CVSS 6.1), this vulnerability is remotel
Same weakness CWE-346 – Origin Validation Error
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-42112
GHSA-869j-r97x-hx2g