GHSA-869j-r97x-hx2g: Anki's local HTTP server does not sufficiently validate requests

June 19, 2026

Anki launches a local HTTP server to serve media files and web pages for parts of its interface. The server fails to validate requests in the following ways:

No sufficient validation of the Origin header.
Some endpoints are vulnerable to path traversal attacks.

This allows malicious websites to exfiltrate local files given a known path.

References

github.com/advisories/GHSA-869j-r97x-hx2g
github.com/ankitects/anki/security/advisories/GHSA-869j-r97x-hx2g
x.com/taviso/status/2051310678800253318

Code Behaviors & Features

Detect and mitigate GHSA-869j-r97x-hx2g with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →