ankitects/anki

ankitects/anki

apps.ankiweb.net

Releases171

Frequency4 weeks 20 hours

Last Release 11 days ago

Stars28.8K

Anki is a smart spaced repetition flashcard program

Log in to subscribe

CVE History

CVE	Published	CVSS v3	CVSS v2
CVE-2025-62187 ↗	Oct 7, 2025Tuesday, 7 October 2025, 21:15	2.9 LOW	—
In Ankitects Anki before 25.02.6, crafted sound file references could cause files to be written to arbitrary locations on Windows and Linux (media file pathnames are not necessarily relative to the media folder).
CVE-2025-62185 ↗	Oct 7, 2025Tuesday, 7 October 2025, 21:15	6.7 MEDIUM	—
In Ankitects Anki before 25.02.5, a crafted shared deck can place a YouTube downloader executable in the media folder, and this is executed for a YouTube link in the deck. The executable name could be youtube-dl.exe or yt-dlp.exe or yt-dlp_x86.exe.
CVE-2025-62186 ↗	Oct 7, 2025Tuesday, 7 October 2025, 21:15	6.7 MEDIUM	—
Ankitects Anki before 25.02.5 allows a crafted shared deck on Windows to execute arbitrary commands when playing audio because of URL scheme mishandling.
CVE-2025-43703 ↗	Apr 16, 2025Wednesday, 16 April 2025, 22:15	6.1 MEDIUM	—
An issue was discovered in Ankitects Anki through 25.02. A crafted shared deck can result in attacker-controlled access to the internal API (even though the attacker has no knowledge of an API key) through approaches such as scripts or the SRC attribute of an IMG element. NOTE: this issue exists because of an incomplete fix for CVE-2024-32484.