An arbitrary script execution vulnerability exists in the MPV functionality of Ankitects Anki 24.04. A specially crafted flashcard can lead to a arbitrary code execution. An attacker can send malicious flashcard to trigger this vulnerability.

References

• https://nvd.nist.gov/vuln/detail/CVE-2024-26020
• https://talosintelligence.com/vulnerability_reports/TALOS-2024-1993
• ankitects/anki@8d2e8b1
• https://skerritt.blog/anki-0day
• https://skii.dev/anki-0day