CVE-2025-62185
published 2025-10-07CVE-2025-62185: In Ankitects Anki before 25.02.5, a crafted shared deck can place a YouTube downloader executable in the media folder, and this is executed for a YouTube link…
PriorityP340high7.8CVSS 3.1
AVLACLPRLUINSUCHIHAH
EPSS
0.14%
3.5th percentile
In Ankitects Anki before 25.02.5, a crafted shared deck can place a YouTube downloader executable in the media folder, and this is executed for a YouTube link in the deck. The executable name could be youtube-dl.exe or yt-dlp.exe or yt-dlp_x86.exe.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| ankitects | anki | < 25.02.5 | 25.02.5 |
CVSS provenance
nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
ghsa6.5MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Anki: User scripts in iframes have access to the internal Anki API
ghsa·2026-06-19·CVSS 6.5
CVE-2024-29073 [MEDIUM] CWE-22 Anki: User scripts in iframes have access to the internal Anki API
Anki: User scripts in iframes have access to the internal Anki API
## Summary
Anki's webview-based pages communicate with the Rust backend using an internal localhost API. Anki implements measures to prevent user scripts run in the reviewer/editor from accessing this API (https://github.com/ankitects/anki/pull/3925) but it inadvertently allows access to scripts included via iframes in the editor. While overall only a limited set of API methods are exposed, some such as `getImageForOcclusion` can read arbitrary files.
**CWE:** CWE-22 (Path Traversal)
**Reporter:** Bankde (Eakasit)
## Affected Products
| Ecosystem | Package | Affected Versions |
| --------- | ------- | ----------------- |
| PyPI | `aqt` | `` tags before importing.
- Block unexpected outbound network requests from the An
GHSA
GHSA-j6hh-cgvw-j237: In Ankitects Anki before 25
ghsa_unreviewed·2025-10-07
CVE-2025-62185 [MEDIUM] CWE-427 GHSA-j6hh-cgvw-j237: In Ankitects Anki before 25
In Ankitects Anki before 25.02.5, a crafted shared deck can place a YouTube downloader executable in the media folder, and this is executed for a YouTube link in the deck. The executable name could be youtube-dl.exe or yt-dlp.exe or yt-dlp_x86.exe.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2025-10-07
Published