CVE-2025-62187
published 2025-10-07CVE-2025-62187: In Ankitects Anki before 25.02.6, crafted sound file references could cause files to be written to arbitrary locations on Windows and Linux (media file…
PriorityP415low3.3CVSS 3.1
AVLACLPRLUINSUCNILAN
EPSS
0.16%
5.6th percentile
In Ankitects Anki before 25.02.6, crafted sound file references could cause files to be written to arbitrary locations on Windows and Linux (media file pathnames are not necessarily relative to the media folder).
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| ankitects | anki | < 25.02.6 | 25.02.6 |
CVSS provenance
nvdv3.13.3LOWCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
ghsa6.5MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Anki: User scripts in iframes have access to the internal Anki API
ghsa·2026-06-19·CVSS 6.5
CVE-2024-29073 [MEDIUM] CWE-22 Anki: User scripts in iframes have access to the internal Anki API
Anki: User scripts in iframes have access to the internal Anki API
## Summary
Anki's webview-based pages communicate with the Rust backend using an internal localhost API. Anki implements measures to prevent user scripts run in the reviewer/editor from accessing this API (https://github.com/ankitects/anki/pull/3925) but it inadvertently allows access to scripts included via iframes in the editor. While overall only a limited set of API methods are exposed, some such as `getImageForOcclusion` can read arbitrary files.
**CWE:** CWE-22 (Path Traversal)
**Reporter:** Bankde (Eakasit)
## Affected Products
| Ecosystem | Package | Affected Versions |
| --------- | ------- | ----------------- |
| PyPI | `aqt` | `` tags before importing.
- Block unexpected outbound network requests from the An
GHSA
GHSA-cvrh-qggv-7gf8: In Ankitects Anki before 25
ghsa_unreviewed·2025-10-07
CVE-2025-62187 [LOW] CWE-23 GHSA-cvrh-qggv-7gf8: In Ankitects Anki before 25
In Ankitects Anki before 25.02.6, crafted sound file references could cause files to be written to arbitrary locations on Windows and Linux (media file pathnames are not necessarily relative to the media folder).
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2025-10-07
Published