{"vulnerability": "ghsa-cw6h-ffmh-x6vh", "sightings": [{"uuid": "40543bed-c05a-45a5-bf74-5b8739685da1", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "GHSA-CW6H-FFMH-X6VH", "type": "seen", "source": "https://gist.github.com/alon710/e6564d67c9e3094972e0bf9eb5cc1cf8", "content": "# GHSA-CW6H-FFMH-X6VH: GHSA-CW6H-FFMH-X6VH: Arbitrary Local File Disclosure via Same-Origin Policy Bypass in Anki Desktop\n\n&gt; **CVSS Score:** 6.5\n&gt; **Published:** 2026-06-19\n&gt; **Full Report:** https://cvereports.com/reports/GHSA-CW6H-FFMH-X6VH\n\n## Summary\nAnki Desktop for Windows, macOS, and Linux is vulnerable to local file disclosure and data exfiltration due to an iframe-based Same-Origin Policy (SOP) bypass. Maliciously crafted user scripts inside imported deck files run within the localhost context, bypassing security filters to query internal endpoints and read arbitrary system files.\n\n## TL;DR\nUser-supplied HTML and SVG files within imported Anki decks can bypass Same-Origin Policy protections inside Anki's local media server, enabling unauthenticated reads of sensitive local files and immediate out-of-band data exfiltration.\n\n## Technical Details\n\n- **CWE ID**: CWE-346 / CWE-22\n- **Attack Vector**: Network\n- **CVSS Score**: 6.5\n- **Exploit Status**: Proof-of-Concept Available\n- **KEV Status**: Not Listed\n\n## Affected Systems\n\n- Anki Desktop for Windows\n- Anki Desktop for macOS\n- Anki Desktop for Linux\n- aqt python module\n- **aqt**: &lt;= 25.09.3 (Fixed in: `25.09.4`)\n\n## Mitigation\n\n- Update Anki Desktop to version 25.09.4 or higher.\n- Do not import untrusted card packages (.apkg) from unverified third-party sources.\n- Utilize personal firewall solutions to restrict local Anki processes from executing anomalous outbound connections.\n\n**Remediation Steps:**\n1. Download the verified package for version 25.09.4 or above.\n2. Run the installer to overwrite legacy file handlers and apply the server-level CSP controls.\n3. Verify profile directories to clean up unused imported files.\n\n## References\n\n- [GitHub Security Advisory GHSA-CW6H-FFMH-X6VH](https://github.com/advisories/GHSA-CW6H-FFMH-X6VH)\n- [Anki Security Advisory for GHSA-cw6h-ffmh-x6vh](https://github.com/ankitects/anki/security/advisories/GHSA-cw6h-ffmh-x6vh)\n- [Anki Fix Commit 8f39ce82d575434319e479bb94f43de28523c6eb](https://github.com/ankitects/anki/commit/8f39ce82d575434319e479bb94f43de28523c6eb)\n\n\n---\n*Generated by [CVEReports](https://cvereports.com/reports/GHSA-CW6H-FFMH-X6VH) - Automated Vulnerability Intelligence*", "creation_timestamp": "2026-06-22T02:42:07.000000Z"}]}