PT-2026-53769 · Pypi · Aqt
Published
2026-06-19
·
Updated
2026-06-19
CVSS v4.0
8.7
High
| Vector | AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N |
Summary
Anki launches a local HTTP server to serve media files and web pages for parts of its interface. The server fails to validate requests in the following ways:
- No sufficient validation of the Origin header.
- Some endpoints are vulnerable to path traversal attacks.
This allows malicious websites to exfiltrate local files given a known path.
Browser impact
The severity varies by browser because of Private Network Access (PNA), a newer spec that restricts web pages from making requests to localhost/local network addresses:
Chrome/Chromium (including Edge, Brave): Largely protected, as Chrome has implemented PNA restrictions for several years and now puts local network access behind a permission prompt.
Safari: Hasn't implemented PNA yet, though macOS has some OS-level protections.
Firefox: Most vulnerable — hasn't implemented PNA yet, though it's reportedly planned for Firefox 151.
Patches
The issue was fixed as of Anki 25.09.3
Fix
Origin Validation Error
Path traversal
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Aqt