Skip to content

Ankitects Anki arbitrary script execution vulnerability

Critical severity GitHub Reviewed Published Jul 22, 2024 to the GitHub Advisory Database • Updated Jul 25, 2024

Package

pip anki (pip)

Affected versions

< 24.06

Patched versions

24.06

Description

An arbitrary script execution vulnerability exists in the MPV functionality of Ankitects Anki 24.04. A specially crafted flashcard can lead to a arbitrary code execution. An attacker can send malicious flashcard to trigger this vulnerability.

References

Published by the National Vulnerability Database Jul 22, 2024
Published to the GitHub Advisory Database Jul 22, 2024
Reviewed Jul 25, 2024
Last updated Jul 25, 2024

Severity

Critical
9.7
/ 10

CVSS base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
None
User interaction
Required
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Weaknesses

CVE ID

CVE-2024-26020

GHSA ID

GHSA-9gq7-p5w9-w899

Source code

Credits

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.