PT-2026-53769 · Pypi · Aqt

Publicado

2026-06-19

·

Atualizado

2026-06-19

CVSS v4.0

8.7

Alta

VetorAV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Summary

Anki launches a local HTTP server to serve media files and web pages for parts of its interface. The server fails to validate requests in the following ways:
  1. No sufficient validation of the Origin header.
  2. Some endpoints are vulnerable to path traversal attacks.
This allows malicious websites to exfiltrate local files given a known path.

Browser impact

The severity varies by browser because of Private Network Access (PNA), a newer spec that restricts web pages from making requests to localhost/local network addresses:
Chrome/Chromium (including Edge, Brave): Largely protected, as Chrome has implemented PNA restrictions for several years and now puts local network access behind a permission prompt. Safari: Hasn't implemented PNA yet, though macOS has some OS-level protections. Firefox: Most vulnerable — hasn't implemented PNA yet, though it's reportedly planned for Firefox 151.

Patches

The issue was fixed as of Anki 25.09.3

Correção

Origin Validation Error

Path traversal

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

Enumeração de Fraquezas

Identificadores relacionados

GHSA-869J-R97X-HX2G

Produtos afetados

Aqt