python · aqtCritical

aqt (Anki) 25.09.3 fixes Origin validation and path traversal

Anki's local HTTP server had insufficient Origin header validation and path traversal vulnerabilities, allowing malicious websites to exfiltrate local files.

20 Jun 2026Read 1 minSeverity: act now

What changed

Anki's local HTTP server had insufficient Origin header validation and path traversal vulnerabilities, allowing malicious websites to exfiltrate local files. Fixed in Anki 25.09.3.

Who it affects

Users of Anki (aqt) prior to version 25.09.3, especially those using Firefox which lacks Private Network Access protections.

What to do today

Upgrade to Anki 25.09.3 or later immediately.

The trail

Collected→ Audited→ Written→ Published

Source

GitHub Advisory · aqt

aqt (Anki) 25.09.3 fixes Origin validation and path traversal

What changed

Who it affects

What to do today

More on aqt

JupyterLab Extension Manager XSS via Malicious PyPI Package URLs

python-liquid DoS via malformed {% case %} tag