VYPR
Vendor

Ankitects

Products
1
CVEs
8
Across products
8
Status
Private

Products

1

Recent CVEs

8
  • CVE-2024-26020CriJul 22, 2024
    risk 0.57cvss 9.6epss 0.15

    An arbitrary script execution vulnerability exists in the MPV functionality of Ankitects Anki 24.04. A specially crafted flashcard can lead to a arbitrary code execution. An attacker can send malicious flashcard to trigger this vulnerability.

  • CVE-2024-32484HigJul 22, 2024
    risk 0.50cvss 7.4epss 0.26

    An reflected XSS vulnerability exists in the handling of invalid paths in the Flask server in Ankitects Anki 24.04. A specially crafted flashcard can lead to JavaScript code execution and result in an arbitrary file read. An attacker can share a malicious flashcard to trigger…

  • CVE-2024-29073MedJul 22, 2024
    risk 0.28cvss 5.3epss 0.12

    An vulnerability in the handling of Latex exists in Ankitects Anki 24.04. When Latex is sanitized to prevent unsafe commands, the verbatim package, which comes installed by default in many Latex distributions, has been overlooked. A specially crafted flashcard can lead to an…

  • CVE-2024-32152LowJul 22, 2024
    risk 0.14cvss 3.1epss 0.12

    A blocklist bypass vulnerability exists in the LaTeX functionality of Ankitects Anki 24.04. A specially crafted malicious flashcard can lead to an arbitrary file creation at a fixed path. An attacker can share a malicious flashcard to trigger this vulnerability.

  • CVE-2025-62187Oct 7, 2025
    risk 0.00cvss epss 0.00

    In Ankitects Anki before 25.02.6, crafted sound file references could cause files to be written to arbitrary locations on Windows and Linux (media file pathnames are not necessarily relative to the media folder).

  • CVE-2025-62186Oct 7, 2025
    risk 0.00cvss epss 0.00

    Ankitects Anki before 25.02.5 allows a crafted shared deck on Windows to execute arbitrary commands when playing audio because of URL scheme mishandling.

  • CVE-2025-62185Oct 7, 2025
    risk 0.00cvss epss 0.00

    In Ankitects Anki before 25.02.5, a crafted shared deck can place a YouTube downloader executable in the media folder, and this is executed for a YouTube link in the deck. The executable name could be youtube-dl.exe or yt-dlp.exe or yt-dlp_x86.exe.

  • CVE-2025-43703MedApr 16, 2025
    risk 0.00cvss 6.1epss 0.00

    An issue was discovered in Ankitects Anki through 25.02. A crafted shared deck can result in attacker-controlled access to the internal API (even though the attacker has no knowledge of an API key) through approaches such as scripts or the SRC attribute of an IMG element. NOTE:…