PT-2026-53769 · Pypi · Aqt

Published

2026-06-19

·

Updated

2026-06-19

CVSS v4.0

8.7

High

VectorAV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Summary

Anki launches a local HTTP server to serve media files and web pages for parts of its interface. The server fails to validate requests in the following ways:
  1. No sufficient validation of the Origin header.
  2. Some endpoints are vulnerable to path traversal attacks.
This allows malicious websites to exfiltrate local files given a known path.

Browser impact

The severity varies by browser because of Private Network Access (PNA), a newer spec that restricts web pages from making requests to localhost/local network addresses:
Chrome/Chromium (including Edge, Brave): Largely protected, as Chrome has implemented PNA restrictions for several years and now puts local network access behind a permission prompt. Safari: Hasn't implemented PNA yet, though macOS has some OS-level protections. Firefox: Most vulnerable — hasn't implemented PNA yet, though it's reportedly planned for Firefox 151.

Patches

The issue was fixed as of Anki 25.09.3

Fix

Origin Validation Error

Path traversal

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

GHSA-869J-R97X-HX2G

Affected Products

Aqt