Debian Package Tracker
Register | Log in
Subscribe

anki

extensible flashcard learning program

Choose email to subscribe with

general
  • source: anki (main)
  • version: 2.1.15+dfsg-3
  • maintainer: Julian Gilbey (DMD)
  • arch: all
  • std-ver: 4.1.5
  • VCS: Git (Browse)
versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]
[pool directory]
  • o-o-stable: 2.1.15+dfsg-3
versioned links
  • 2.1.15+dfsg-3: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
binaries
  • anki
package is gone
This package is not in any development repository. This probably means that the package has been removed (or has been renamed). Thus the information here is of little interest ... the package is going to disappear unless someone takes it over and reintroduces it.
action needed
6 security issues in bullseye high

There are 6 open security issues in bullseye.

2 important issues:
  • CVE-2026-58266: Anki is a program for creating and reviewing flashcards. Prior to 25.09.4, Anki's webview-based pages communicate with the Rust backend using an internal localhost API, and user scripts included via iframes in the editor can access this API despite protections intended to block reviewer and editor scripts. A malicious imported card package with an embedded iframe can use exposed API methods such as getImageForOcclusion to read arbitrary files accessible to the Anki process and exfiltrate them over the network. This issue is fixed in version 25.09.4.
  • CVE-2026-59153: Anki is a program for creating and reviewing flashcards. Prior to 25.09.3, Anki launches a local HTTP server to serve media files and web pages for parts of its interface, but requests from other origins were not sufficiently blocked. A malicious website could potentially trigger side-effecting requests to the local server, with severity varying by browser depending on Private Network Access protections. This issue is fixed in version 25.09.3.
4 issues postponed or untriaged:
  • CVE-2024-26020: (postponed; to be fixed through a stable update) An arbitrary script execution vulnerability exists in the MPV functionality of Ankitects Anki 24.04. A specially crafted flashcard can lead to a arbitrary code execution. An attacker can send malicious flashcard to trigger this vulnerability.
  • CVE-2024-29073: (postponed; to be fixed through a stable update) An vulnerability in the handling of Latex exists in Ankitects Anki 24.04. When Latex is sanitized to prevent unsafe commands, the verbatim package, which comes installed by default in many Latex distributions, has been overlooked. A specially crafted flashcard can lead to an arbitrary file read. An attacker can share a flashcard to trigger this vulnerability.
  • CVE-2024-32152: (postponed; to be fixed through a stable update) A blocklist bypass vulnerability exists in the LaTeX functionality of Ankitects Anki 24.04. A specially crafted malicious flashcard can lead to an arbitrary file creation at a fixed path. An attacker can share a malicious flashcard to trigger this vulnerability.
  • CVE-2024-32484: (postponed; to be fixed through a stable update) An reflected XSS vulnerability exists in the handling of invalid paths in the Flask server in Ankitects Anki 24.04. A specially crafted flashcard can lead to JavaScript code execution and result in an arbitrary file read. An attacker can share a malicious flashcard to trigger this vulnerability.
Created: 2026-07-08 Last update: 2026-07-08 14:30
4 security issues in sid high

There are 4 open security issues in sid.

4 important issues:
  • CVE-2024-26020: An arbitrary script execution vulnerability exists in the MPV functionality of Ankitects Anki 24.04. A specially crafted flashcard can lead to a arbitrary code execution. An attacker can send malicious flashcard to trigger this vulnerability.
  • CVE-2024-29073: An vulnerability in the handling of Latex exists in Ankitects Anki 24.04. When Latex is sanitized to prevent unsafe commands, the verbatim package, which comes installed by default in many Latex distributions, has been overlooked. A specially crafted flashcard can lead to an arbitrary file read. An attacker can share a flashcard to trigger this vulnerability.
  • CVE-2024-32152: A blocklist bypass vulnerability exists in the LaTeX functionality of Ankitects Anki 24.04. A specially crafted malicious flashcard can lead to an arbitrary file creation at a fixed path. An attacker can share a malicious flashcard to trigger this vulnerability.
  • CVE-2024-32484: An reflected XSS vulnerability exists in the handling of invalid paths in the Flask server in Ankitects Anki 24.04. A specially crafted flashcard can lead to JavaScript code execution and result in an arbitrary file read. An attacker can share a malicious flashcard to trigger this vulnerability.
Created: 2024-07-23 Last update: 2024-09-25 18:35
news
[rss feed]
  • [2024-12-15] Removed 2.1.15+dfsg-4 from unstable (Debian FTP Masters)
  • [2024-03-04] Accepted anki 2.1.15+dfsg-4 (source) into unstable (Laurin Hagemann) (signed by: gregor herrmann)
  • [2022-06-12] anki REMOVED from testing (Debian testing watch)
  • [2022-06-12] anki REMOVED from testing (Debian testing watch)
  • [2020-12-14] anki 2.1.15+dfsg-3 MIGRATED to testing (Debian testing watch)
  • [2020-12-08] Accepted anki 2.1.15+dfsg-3 (source) into unstable (Julian Gilbey)
  • [2020-11-04] anki 2.1.15+dfsg-2 MIGRATED to testing (Debian testing watch)
  • [2020-09-01] anki REMOVED from testing (Debian testing watch)
  • [2020-05-11] anki 2.1.15+dfsg-2 MIGRATED to testing (Debian testing watch)
  • [2020-05-06] Accepted anki 2.1.15+dfsg-2 (source) into unstable (Julian Gilbey)
  • [2019-09-04] anki 2.1.15+dfsg-1 MIGRATED to testing (Debian testing watch)
  • [2019-08-29] Accepted anki 2.1.15+dfsg-1 (source) into unstable (Julian Gilbey)
  • [2019-02-11] anki 2.1.8+dfsg-1 MIGRATED to testing (Debian testing watch)
  • [2019-02-05] Accepted anki 2.1.8+dfsg-1 (source all) into unstable (Julian Gilbey)
  • [2018-12-24] anki 2.1.7+dfsg-1 MIGRATED to testing (Debian testing watch)
  • [2018-12-18] Accepted anki 2.1.7+dfsg-1 (source all) into unstable (Julian Gilbey)
  • [2018-12-18] anki 2.1.6+dfsg-1 MIGRATED to testing (Debian testing watch)
  • [2018-12-12] Accepted anki 2.1.6+dfsg-1 (source all) into unstable (Julian Gilbey)
  • [2018-12-09] Accepted anki 2.1.6+dfsg~beta2-1 (source all) into unstable (Julian Gilbey)
  • [2018-10-26] Accepted anki 2.1.5+dfsg+2.1.6-test.20181026.b4f4e65c-1 (source all) into unstable (Julian Gilbey)
  • [2018-10-16] Accepted anki 2.1.5+dfsg-1 (source all) into unstable (Julian Gilbey)
  • [2018-08-06] Accepted anki 2.1.0+dfsg-1 (source all) into unstable (Julian Gilbey)
  • [2018-08-02] Accepted anki 2.1.0+dfsg~rc2-2 (source all) into unstable (Julian Gilbey)
  • [2018-08-01] Accepted anki 2.1.0+dfsg~rc2-1 (source all) into unstable (Julian Gilbey)
  • [2018-07-22] Accepted anki 2.1.0+dfsg~b43-1 (source all) into unstable (Julian Gilbey)
  • [2018-06-26] Accepted anki 2.1.0+dfsg~b42-1 (source all) into unstable (Julian Gilbey)
  • [2018-05-03] Accepted anki 2.1.0+dfsg~b38-1 (source all) into unstable (Julian Gilbey)
  • [2018-04-23] Accepted anki 2.1.0+dfsg~b37-2 (source all) into unstable (Julian Gilbey)
  • [2018-03-01] Accepted anki 2.1.0+dfsg~b37-1 (source all) into unstable (Julian Gilbey)
  • [2018-02-05] Accepted anki 2.1.0+dfsg~b36-1 (source all) into unstable (Julian Gilbey)
  • 1
  • 2
bugs [bug history graph]
  • all: 0
links
  • homepage
  • buildd: logs
  • popcon
  • security tracker
  • screenshots

Debian Package Tracker — Copyright 2013-2025 The Distro Tracker Developers
Report problems to the tracker.debian.org pseudo-package in the Debian BTS.
Documentation — Bugs — Git Repository — Contributing