CVE-2024-32484
published 2024-07-22CVE-2024-32484: An reflected XSS vulnerability exists in the handling of invalid paths in the Flask server in Ankitects Anki 24.04. A specially crafted flashcard can lead to…
PriorityP351high8.2CVSS 3.1
AVNACLPRNUIRSCCHILAN
EPSS
25.92%
97.7th percentile
An reflected XSS vulnerability exists in the handling of invalid paths in the Flask server in Ankitects Anki 24.04. A specially crafted flashcard can lead to JavaScript code execution and result in an arbitrary file read. An attacker can share a malicious flashcard to trigger this vulnerability.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| ankitects | anki | <= 25.02 | — |
| ankitects | anki | <= 25.02 | — |
| ankitects | anki | — | — |
| debian | anki | — | — |
CVSS provenance
nvdv3.18.2HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N
ghsa6.5MEDIUM
osv8.2HIGH
vendor_debian7.4HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Debian
CVE-2025-43703: anki - An issue was discovered in Ankitects Anki through 25.02. A crafted shared deck c...
vendor_debian·2025·CVSS 7.4
CVE-2025-43703 [HIGH] CVE-2025-43703: anki - An issue was discovered in Ankitects Anki through 25.02. A crafted shared deck c...
An issue was discovered in Ankitects Anki through 25.02. A crafted shared deck can result in attacker-controlled access to the internal API (even though the attacker has no knowledge of an API key) through approaches such as scripts or the SRC attribute of an IMG element. NOTE: this issue exists because of an incomplete fix for CVE-2024-32484.
Scope: local
bullseye: resolved
Debian
CVE-2024-32484: anki - An reflected XSS vulnerability exists in the handling of invalid paths in the Fl...
vendor_debian·2024·CVSS 7.4
CVE-2024-32484 [HIGH] CVE-2024-32484: anki - An reflected XSS vulnerability exists in the handling of invalid paths in the Fl...
An reflected XSS vulnerability exists in the handling of invalid paths in the Flask server in Ankitects Anki 24.04. A specially crafted flashcard can lead to JavaScript code execution and result in an arbitrary file read. An attacker can share a malicious flashcard to trigger this vulnerability.
Scope: local
bullseye: open
GHSA
Anki: User scripts in iframes have access to the internal Anki API
ghsa·2026-06-19·CVSS 6.5
CVE-2024-29073 [MEDIUM] CWE-22 Anki: User scripts in iframes have access to the internal Anki API
Anki: User scripts in iframes have access to the internal Anki API
## Summary
Anki's webview-based pages communicate with the Rust backend using an internal localhost API. Anki implements measures to prevent user scripts run in the reviewer/editor from accessing this API (https://github.com/ankitects/anki/pull/3925) but it inadvertently allows access to scripts included via iframes in the editor. While overall only a limited set of API methods are exposed, some such as `getImageForOcclusion` can read arbitrary files.
**CWE:** CWE-22 (Path Traversal)
**Reporter:** Bankde (Eakasit)
## Affected Products
| Ecosystem | Package | Affected Versions |
| --------- | ------- | ----------------- |
| PyPI | `aqt` | `` tags before importing.
- Block unexpected outbound network requests from the An
GHSA
GHSA-634v-x2r3-jm25: An issue was discovered in Ankitects Anki through 25
ghsa_unreviewed·2025-04-17·CVSS 7.4
CVE-2025-43703 [HIGH] CWE-830 GHSA-634v-x2r3-jm25: An issue was discovered in Ankitects Anki through 25
An issue was discovered in Ankitects Anki through 25.02. A crafted shared deck can result in attacker-controlled access to the internal API (even though the attacker has no knowledge of an API key) through approaches such as scripts or the SRC attribute of an IMG element. NOTE: this issue exists because of an incomplete fix for CVE-2024-32484.
OSV
CVE-2025-43703: An issue was discovered in Ankitects Anki through 25
osv·2025-04-16·CVSS 8.2
CVE-2025-43703 [HIGH] CVE-2025-43703: An issue was discovered in Ankitects Anki through 25
An issue was discovered in Ankitects Anki through 25.02. A crafted shared deck can result in attacker-controlled access to the internal API (even though the attacker has no knowledge of an API key) through approaches such as scripts or the SRC attribute of an IMG element. NOTE: this issue exists because of an incomplete fix for CVE-2024-32484.
OSV
CVE-2024-32484: An reflected XSS vulnerability exists in the handling of invalid paths in the Flask server in Ankitects Anki 24
osv·2024-07-22·CVSS 8.2
CVE-2024-32484 [HIGH] CVE-2024-32484: An reflected XSS vulnerability exists in the handling of invalid paths in the Flask server in Ankitects Anki 24
An reflected XSS vulnerability exists in the handling of invalid paths in the Flask server in Ankitects Anki 24.04. A specially crafted flashcard can lead to JavaScript code execution and result in an arbitrary file read. An attacker can share a malicious flashcard to trigger this vulnerability.
GHSA
GHSA-r6f4-5657-3fp7: An reflected XSS vulnerability exists in the handling of invalid paths in the Flask server in Ankitects Anki 24
ghsa_unreviewed·2024-07-22
CVE-2024-32484 [HIGH] CWE-80 GHSA-r6f4-5657-3fp7: An reflected XSS vulnerability exists in the handling of invalid paths in the Flask server in Ankitects Anki 24
An reflected XSS vulnerability exists in the handling of invalid paths in the Flask server in Ankitects Anki 24.04. A specially crafted flashcard can lead to JavaScript code execution and result in an arbitrary file read. An attacker can share a malicious flashcard to trigger this vulnerability.
No detection rules found.
No public exploits indexed.
Talos
Out-of-bounds read vulnerability in NVIDIA driver; Open-source flashcard software contains multiple security issues
blogs_talos·2024-07-31·CVSS 7.8
[HIGH] Out-of-bounds read vulnerability in NVIDIA driver; Open-source flashcard software contains multiple security issues
Cisco Talos’ Vulnerability Research team has helped to disclose and patch six new vulnerabilities over the past three weeks, including one in a driver that powers certain NVIDIA graphics cards.
The majority of the vulnerabilities that Talos disclosed during this period exist in Ankitects Anki, an open-source program that allows users to study information using flashcards. The most serious of these issues has a CVSS score of 9.6 out of 10.
All the vulnerabilities mentioned in this blog post have been patched by their respective vendors, all in adherence to Cisco’s third-party vulnerability disclosure policy.
For Snort coverage that can detect the exploitation of these vulnerabilities, download the latest rule sets from Snort.org, and our latest Vulnerability Advisories are always posted
Checkpoint
29th July – Threat Intelligence Report
blogs_checkpoint·2024-07-29
CVE-2024-32484 29th July – Threat Intelligence Report
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
2026
2025
2024
2023
2022
2021
2020
2019
2018
2017
2016
## 29th July – Threat Intelligence Report
For the latest discoveries in cyber research for the week of 29th July, please download our Threat Intelligence Bulletin .
TOP ATTACKS AND BREACHES
The Superior Court of Los Angeles was forced to shut down its network following a ransomware attack. The court, the largest in the United States, has closed all of its 36 courthouse locations due to the attack for a few days. No ransomware group has publicly claimed responsibility for the attack.
American cybersecurity firm Kn
2024-07-22
Published