6 matches found
CVE-2025-43703
Anki (Ankitects) up to version 25.02 is affected by CVE-2025-43703, which allows attacker-controlled access to the internal API via a crafted shared deck, even without knowledge of an API key. The issue stems from an incomplete fix for CVE-2024-32484 and can be triggered through methods such as s...
CVE-2024-32152
CVE-2024-32152 affects Ankitects Anki 24.04’s LaTeX processing, where a specially crafted flashcard can bypass the blocklist and cause arbitrary file creation at a fixed path. The issue arises from the LaTeX blocklist bypass in the Anki LaTeX module, enabling an attacker to trigger file creation ...
CVE-2024-32484
Affected product: Ankitects Anki (entries reference Anki up to 25.02). The connected documents indicate CVE-2025-43703 describes an incomplete fix for CVE-2024-32484, resulting in attacker‑controlled access to the internal API via crafted decks/SRC attributes, effectively enabling scripted access...
CVE-2025-62185
In Ankitects Anki prior to 25.02.5, a crafted shared deck can place a YouTube downloader executable (names include youtube-dl.exe, yt-dlp.exe, or yt-dlp_x86.exe) in the media folder. This executable can be run when a YouTube link is present in the deck, enabling potential arbitrary code execution...
CVE-2025-62187
In Ankitects Anki prior to 25.02.6, crafted sound file references could cause files to be written to arbitrary locations on Windows and Linux because media file pathnames are not necessarily relative to the media folder. The vulnerability affects the media handling component and arises from impro...
CVE-2025-62186
Anki (Ankitects) on Windows is affected by CVE-2025-62186: versions prior to 25.02.5 are vulnerable to arbitrary command execution when playing audio via a crafted shared deck due to URL scheme mishandling. The root cause is improper handling of URL schemes in the shared deck workflow. Affected p...