Approved changes feed: RSS · Atom

cpe:2.3:a:ankitects:anki:*:*:*:*:*:*:*:*

part: a version: * update: *

VendorAnkitects (8844526a-9309-5499-909a-410f664c1c4d)
ProductAnki (e7a18540-f1b6-59b9-a7a2-c07fbab0df75)
Edition*
Language*
Software edition*
Target software*
Target hardware*
Other*
NotesImported from purl2cpe mapping

PURL mappings

PURLSourceLast updated
pkg:github/ankitects/anki purl2cpe 2026-06-01 10:11:14.759564

Vulnerability references

IdentifiercpeApplicabilitySubmitteddb.gcve.eu detailsRationale
CVE:CVE-2025-62187 vulnerable 2026-06-08 07:37:28.761612 Details available
LOW (2.9)
In Ankitects Anki before 25.02.6, crafted sound file references could cause files to be written to arbitrary locations on Windows and Linux (media file pathnames are not necessarily relative to the media folder).
Published: 2025-10-07T00:00:00.000Z
Updated: 2025-10-08T13:24:39.026Z
Reference links
Imported from gcve-enriched-dumps CVE data
CVE:CVE-2025-62186 vulnerable 2026-06-08 07:37:28.761358 Details available
MEDIUM (6.7)
Ankitects Anki before 25.02.5 allows a crafted shared deck on Windows to execute arbitrary commands when playing audio because of URL scheme mishandling.
Published: 2025-10-07T00:00:00.000Z
Updated: 2025-10-08T13:27:47.374Z
Reference links
Imported from gcve-enriched-dumps CVE data
CVE:CVE-2025-62185 vulnerable 2026-06-08 07:37:28.761060 Details available
MEDIUM (6.7)
In Ankitects Anki before 25.02.5, a crafted shared deck can place a YouTube downloader executable in the media folder, and this is executed for a YouTube link in the deck. The executable name could be youtube-dl.exe or yt-dlp.exe or yt-dlp_x86.exe.
Published: 2025-10-07T00:00:00.000Z
Updated: 2025-10-08T14:59:13.616Z
Reference links
Imported from gcve-enriched-dumps CVE data
CVE:CVE-2025-43703 vulnerable 2026-06-08 07:25:09.267239 Details available
MEDIUM (6.1)
An issue was discovered in Ankitects Anki through 25.02. A crafted shared deck can result in attacker-controlled access to the internal API (even though the attacker has no knowledge of an API key) through approaches such as scripts or the SRC attribute of an IMG element. NOTE: this issue exists because of an incomplete fix for CVE-2024-32484.
Published: 2025-04-16T00:00:00.000Z
Updated: 2025-04-17T13:56:42.103Z
Reference links
Imported from gcve-enriched-dumps CVE data
CVE:CVE-2024-32484 vulnerable 2026-06-08 06:35:33.203756 Details available
HIGH (7.4)
An reflected XSS vulnerability exists in the handling of invalid paths in the Flask server in Ankitects Anki 24.04. A specially crafted flashcard can lead to JavaScript code execution and result in an arbitrary file read. An attacker can share a malicious flashcard to trigger this vulnerability.
Published: 2024-07-22T14:20:25.571Z
Updated: 2025-11-04T17:20:19.020Z
Reference links
Imported from gcve-enriched-dumps CVE data
CVE:CVE-2024-32152 vulnerable 2026-06-08 06:35:32.976210 db.gcve.eu details were skipped to keep the page responsive. Imported from gcve-enriched-dumps CVE data
CVE:CVE-2024-29073 vulnerable 2026-06-08 06:33:28.649194 db.gcve.eu details were skipped to keep the page responsive. Imported from gcve-enriched-dumps CVE data
CVE:CVE-2024-26020 vulnerable 2026-06-08 06:31:24.660573 db.gcve.eu details were skipped to keep the page responsive. Imported from gcve-enriched-dumps CVE data

Contribute

You can submit an edit proposal for this CPE entry or suggest a related product/vendor addition using the action button above.