PT-2026-53769 · Pypi · Aqt
Publicado
2026-06-19
·
Atualizado
2026-06-19
CVSS v4.0
8.7
Alta
| Vetor | AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N |
Summary
Anki launches a local HTTP server to serve media files and web pages for parts of its interface. The server fails to validate requests in the following ways:
- No sufficient validation of the Origin header.
- Some endpoints are vulnerable to path traversal attacks.
This allows malicious websites to exfiltrate local files given a known path.
Browser impact
The severity varies by browser because of Private Network Access (PNA), a newer spec that restricts web pages from making requests to localhost/local network addresses:
Chrome/Chromium (including Edge, Brave): Largely protected, as Chrome has implemented PNA restrictions for several years and now puts local network access behind a permission prompt.
Safari: Hasn't implemented PNA yet, though macOS has some OS-level protections.
Firefox: Most vulnerable — hasn't implemented PNA yet, though it's reportedly planned for Firefox 151.
Patches
The issue was fixed as of Anki 25.09.3
Correção
Origin Validation Error
Path traversal
Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
Identificadores relacionados
Produtos afetados
Aqt