CVE-2024-26020
published 2024-07-22CVE-2024-26020: An arbitrary script execution vulnerability exists in the MPV functionality of Ankitects Anki 24.04. A specially crafted flashcard can lead to a arbitrary code…
PriorityP261high8.8CVSS 3.1
AVNACLPRNUIRSUCHIHAH
EPSS
15.07%
96.3th percentile
An arbitrary script execution vulnerability exists in the MPV functionality of Ankitects Anki 24.04. A specially crafted flashcard can lead to a arbitrary code execution. An attacker can send malicious flashcard to trigger this vulnerability.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| ankitects | anki | — | — |
| ankitects | anki | >= 0 < 24.06 | 24.06 |
| ankiweb | anki | — | — |
| debian | anki | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →The attack vector is delivery of a specially crafted flashcard to a targeted user, triggering arbitrary script execution through the MPV functionality in Ankitects Anki 24.04. ↗
- ·The vulnerability is specific to Ankitects Anki version 24.04 and its MPV (media player) functionality; patched versions are not affected. ↗
- ·Debian bullseye tracking shows this CVE remains open (unpatched) in that distribution as of the source date, meaning Debian bullseye users may still be exposed. ↗
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
osv8.8HIGH
vendor_debian9.6CRITICAL
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Ankitects Anki arbitrary script execution vulnerability
ghsa·2024-07-22
CVE-2024-26020 [HIGH] CWE-74 Ankitects Anki arbitrary script execution vulnerability
Ankitects Anki arbitrary script execution vulnerability
An arbitrary script execution vulnerability exists in the MPV functionality of Ankitects Anki 24.04. A specially crafted flashcard can lead to a arbitrary code execution. An attacker can send malicious flashcard to trigger this vulnerability.
OSV
Ankitects Anki arbitrary script execution vulnerability
osv·2024-07-22
CVE-2024-26020 [HIGH] Ankitects Anki arbitrary script execution vulnerability
Ankitects Anki arbitrary script execution vulnerability
An arbitrary script execution vulnerability exists in the MPV functionality of Ankitects Anki 24.04. A specially crafted flashcard can lead to a arbitrary code execution. An attacker can send malicious flashcard to trigger this vulnerability.
OSV
CVE-2024-26020: An arbitrary script execution vulnerability exists in the MPV functionality of Ankitects Anki 24
osv·2024-07-22·CVSS 8.8
CVE-2024-26020 [HIGH] CVE-2024-26020: An arbitrary script execution vulnerability exists in the MPV functionality of Ankitects Anki 24
An arbitrary script execution vulnerability exists in the MPV functionality of Ankitects Anki 24.04. A specially crafted flashcard can lead to a arbitrary code execution. An attacker can send malicious flashcard to trigger this vulnerability.
Debian
CVE-2024-26020: anki - An arbitrary script execution vulnerability exists in the MPV functionality of A...
vendor_debian·2024·CVSS 9.6
CVE-2024-26020 [CRITICAL] CVE-2024-26020: anki - An arbitrary script execution vulnerability exists in the MPV functionality of A...
An arbitrary script execution vulnerability exists in the MPV functionality of Ankitects Anki 24.04. A specially crafted flashcard can lead to a arbitrary code execution. An attacker can send malicious flashcard to trigger this vulnerability.
Scope: local
bullseye: open
No detection rules found.
No public exploits indexed.
Talos
Out-of-bounds read vulnerability in NVIDIA driver; Open-source flashcard software contains multiple security issues
blogs_talos·2024-07-31·CVSS 7.8
[HIGH] Out-of-bounds read vulnerability in NVIDIA driver; Open-source flashcard software contains multiple security issues
Cisco Talos’ Vulnerability Research team has helped to disclose and patch six new vulnerabilities over the past three weeks, including one in a driver that powers certain NVIDIA graphics cards.
The majority of the vulnerabilities that Talos disclosed during this period exist in Ankitects Anki, an open-source program that allows users to study information using flashcards. The most serious of these issues has a CVSS score of 9.6 out of 10.
All the vulnerabilities mentioned in this blog post have been patched by their respective vendors, all in adherence to Cisco’s third-party vulnerability disclosure policy.
For Snort coverage that can detect the exploitation of these vulnerabilities, download the latest rule sets from Snort.org, and our latest Vulnerability Advisories are always posted
Checkpoint
29th July – Threat Intelligence Report
blogs_checkpoint·2024-07-29
CVE-2024-32484 29th July – Threat Intelligence Report
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
2026
2025
2024
2023
2022
2021
2020
2019
2018
2017
2016
## 29th July – Threat Intelligence Report
For the latest discoveries in cyber research for the week of 29th July, please download our Threat Intelligence Bulletin .
TOP ATTACKS AND BREACHES
The Superior Court of Los Angeles was forced to shut down its network following a ransomware attack. The court, the largest in the United States, has closed all of its 36 courthouse locations due to the attack for a few days. No ransomware group has publicly claimed responsibility for the attack.
American cybersecurity firm Kn
2024-07-22
Published