cbcvebase.

Ankitects Anki vulnerabilities

8 known vulnerabilities affecting ankitects/anki.

Total CVEs
8
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
HIGH4MEDIUM3LOW1

Vulnerabilities

Page 1 of 1
CVE-2024-26020P2HIGHCVSS 8.8v24.042024-07-22
CVE-2024-26020 [HIGH] CWE-74 CVE-2024-26020: An arbitrary script execution vulnerability exists in the MPV functionality of Ankitects Anki 24.04. An arbitrary script execution vulnerability exists in the MPV functionality of Ankitects Anki 24.04. A specially crafted flashcard can lead to a arbitrary code execution. An attacker can send malicious flashcard to trigger this vulnerability.
ghsanvdosv
CVE-2024-32484P3HIGHCVSS 8.2v24.04≤ 25.022024-07-22
CVE-2024-32484 [HIGH] CWE-80 CVE-2024-32484: An reflected XSS vulnerability exists in the handling of invalid paths in the Flask server in Ankite An reflected XSS vulnerability exists in the handling of invalid paths in the Flask server in Ankitects Anki 24.04. A specially crafted flashcard can lead to JavaScript code execution and result in an arbitrary file read. An attacker can share a malicious flashcard to trigger this vulnerability.
nvd
CVE-2025-62186P3HIGHCVSS 7.8fixed in 25.02.52025-10-07
CVE-2025-62186 [HIGH] CWE-829 CVE-2025-62186: Ankitects Anki before 25.02.5 allows a crafted shared deck on Windows to execute arbitrary commands Ankitects Anki before 25.02.5 allows a crafted shared deck on Windows to execute arbitrary commands when playing audio because of URL scheme mishandling.
nvd
CVE-2024-29073P3MEDIUMCVSS 6.5v24.042024-07-22
CVE-2024-29073 [MEDIUM] CWE-829 CVE-2024-29073: An vulnerability in the handling of Latex exists in Ankitects Anki 24.04. When Latex is sanitized to An vulnerability in the handling of Latex exists in Ankitects Anki 24.04. When Latex is sanitized to prevent unsafe commands, the verbatim package, which comes installed by default in many Latex distributions, has been overlooked. A specially crafted flashcard can lead to an arbitrary file read. An attacker can share a flashcard to trigger this vuln
ghsanvdosv
CVE-2025-62185P3HIGHCVSS 7.8fixed in 25.02.52025-10-07
CVE-2025-62185 [HIGH] CWE-427 CVE-2025-62185: In Ankitects Anki before 25.02.5, a crafted shared deck can place a YouTube downloader executable in In Ankitects Anki before 25.02.5, a crafted shared deck can place a YouTube downloader executable in the media folder, and this is executed for a YouTube link in the deck. The executable name could be youtube-dl.exe or yt-dlp.exe or yt-dlp_x86.exe.
nvd
CVE-2024-32152P4MEDIUMCVSS 4.3v24.042024-07-22
CVE-2024-32152 [MEDIUM] CWE-184 CVE-2024-32152: A blocklist bypass vulnerability exists in the LaTeX functionality of Ankitects Anki 24.04. A specia A blocklist bypass vulnerability exists in the LaTeX functionality of Ankitects Anki 24.04. A specially crafted malicious flashcard can lead to an arbitrary file creation at a fixed path. An attacker can share a malicious flashcard to trigger this vulnerability.
ghsanvdosv
CVE-2025-43703P4MEDIUMCVSS 5.4≤ 25.022025-04-16
CVE-2025-43703 [MEDIUM] CVE-2025-43703: An issue was discovered in Ankitects Anki through 25.02. A crafted shared deck can result in attacke An issue was discovered in Ankitects Anki through 25.02. A crafted shared deck can result in attacker-controlled access to the internal API (even though the attacker has no knowledge of an API key) through approaches such as scripts or the SRC attribute of an IMG element. NOTE: this issue exists because of an incomplete fix for CVE-2024-32484.
nvd
CVE-2025-62187P4LOWCVSS 3.3fixed in 25.02.62025-10-07
CVE-2025-62187 [LOW] CWE-23 CVE-2025-62187: In Ankitects Anki before 25.02.6, crafted sound file references could cause files to be written to a In Ankitects Anki before 25.02.6, crafted sound file references could cause files to be written to arbitrary locations on Windows and Linux (media file pathnames are not necessarily relative to the media folder).
nvd
Ankitects Anki vulnerabilities | cvebase