Skip to main content

Anki

7 CVEs product

Monthly

CVE-2026-58266 PyPI MEDIUM PATCH This Month

Arbitrary file read and exfiltration in Anki prior to 25.09.4 allows a remote attacker to access sensitive files on a victim's system by distributing a maliciously crafted card package (.apkg). The root cause is an origin validation failure (CWE-346) in Anki's internal localhost API, which fails to block iframe-embedded scripts from accessing privileged backend methods such as getImageForOcclusion. Exploitation requires the victim to import the malicious deck; no public exploit code or CISA KEV listing has been identified at time of analysis.

Information Disclosure Anki
NVD GitHub VulDB
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-59153 PyPI LOW PATCH GHSA Monitor

Cross-origin request forgery against Anki's local HTTP server allows a malicious website to trigger unauthorized side-effecting requests to the application while it is running on the victim's machine. All Anki versions prior to 25.09.3 are affected (CPE: cpe:2.3:a:ankitects:anki:*:*:*:*:*:*:*:*). The practical severity varies significantly by browser: implementations with Private Network Access (PNA) protections block such requests by default, limiting real-world impact to older or less-restrictive browser configurations. No public exploit identified at time of analysis, though security researcher Tavis Ormandy (Google Project Zero) publicly discussed the issue on X, indicating independent researcher awareness.

Information Disclosure Anki
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.2%
CVE-2025-43703 MEDIUM PATCH This Month

An issue was discovered in Ankitects Anki through 25.02. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Information Disclosure Anki
NVD GitHub
CVSS 3.1
6.1
EPSS
0.2%
CVE-2024-32484 HIGH POC THREAT This Week

An reflected XSS vulnerability exists in the handling of invalid paths in the Flask server in Ankitects Anki 24.04. Rated high severity (CVSS 8.2), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE XSS Python Anki
NVD
CVSS 3.1
8.2
EPSS
25.9%
CVE-2024-32152 PyPI MEDIUM POC PATCH THREAT This Month

A blocklist bypass vulnerability exists in the LaTeX functionality of Ankitects Anki 24.04. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass Anki
NVD
CVSS 3.1
4.3
EPSS
12.1%
CVE-2024-29073 PyPI MEDIUM POC PATCH THREAT This Month

An vulnerability in the handling of Latex exists in Ankitects Anki 24.04. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Anki
NVD
CVSS 3.1
6.5
EPSS
11.5%
CVE-2024-26020 PyPI HIGH POC PATCH THREAT This Week

An arbitrary script execution vulnerability exists in the MPV functionality of Ankitects Anki 24.04. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE Anki
NVD
CVSS 3.1
8.8
EPSS
15.1%
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Arbitrary file read and exfiltration in Anki prior to 25.09.4 allows a remote attacker to access sensitive files on a victim's system by distributing a maliciously crafted card package (.apkg). The root cause is an origin validation failure (CWE-346) in Anki's internal localhost API, which fails to block iframe-embedded scripts from accessing privileged backend methods such as getImageForOcclusion. Exploitation requires the victim to import the malicious deck; no public exploit code or CISA KEV listing has been identified at time of analysis.

Information Disclosure Anki
NVD GitHub VulDB
EPSS 0% CVSS 2.1
LOW PATCH Monitor

Cross-origin request forgery against Anki's local HTTP server allows a malicious website to trigger unauthorized side-effecting requests to the application while it is running on the victim's machine. All Anki versions prior to 25.09.3 are affected (CPE: cpe:2.3:a:ankitects:anki:*:*:*:*:*:*:*:*). The practical severity varies significantly by browser: implementations with Private Network Access (PNA) protections block such requests by default, limiting real-world impact to older or less-restrictive browser configurations. No public exploit identified at time of analysis, though security researcher Tavis Ormandy (Google Project Zero) publicly discussed the issue on X, indicating independent researcher awareness.

Information Disclosure Anki
NVD GitHub VulDB
EPSS 0% CVSS 6.1
MEDIUM PATCH This Month

An issue was discovered in Ankitects Anki through 25.02. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Information Disclosure Anki
NVD GitHub
EPSS 26% CVSS 8.2
HIGH POC THREAT This Week

An reflected XSS vulnerability exists in the handling of invalid paths in the Flask server in Ankitects Anki 24.04. Rated high severity (CVSS 8.2), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE XSS Python +1
NVD
EPSS 12% CVSS 4.3
MEDIUM POC PATCH THREAT This Month

A blocklist bypass vulnerability exists in the LaTeX functionality of Ankitects Anki 24.04. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass Anki
NVD
EPSS 12% CVSS 6.5
MEDIUM POC PATCH THREAT This Month

An vulnerability in the handling of Latex exists in Ankitects Anki 24.04. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Anki
NVD
EPSS 15% CVSS 8.8
HIGH POC PATCH THREAT This Week

An arbitrary script execution vulnerability exists in the MPV functionality of Ankitects Anki 24.04. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE Anki
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy