PYSEC-2026-1118

See a problem?
Import Source
https://github.com/pypa/advisory-database/blob/main/vulns/anki/PYSEC-2026-1118.yaml
JSON Data
https://api.osv.dev/v1/vulns/PYSEC-2026-1118
Aliases
Published
2026-07-07T14:34:37.494906Z
Modified
2026-07-07T17:46:19.518418418Z
Severity
  • 5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N CVSS Calculator
  • 6.0 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N CVSS Calculator
Summary
Anki Latex Incomplete Blocklist Vulnerability
Details

An vulnerability in the handling of Latex exists in Ankitects Anki 24.04. When Latex is sanitized to prevent unsafe commands, the verbatim package, which comes installed by default in many Latex distributions, has been overlooked. A specially crafted flashcard can lead to an arbitrary file read. An attacker can share a flashcard to trigger this vulnerability.

References

Affected packages

PyPI / anki

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
24.6

Affected versions

2.*
2.1.24
2.1.25
2.1.26
2.1.28
2.1.29
2.1.30
2.1.31
2.1.32
2.1.33
2.1.34
2.1.35
2.1.36
2.1.37rc1
2.1.37
2.1.38b1
2.1.38b2
2.1.38b3
2.1.38b4
2.1.38
2.1.39b1
2.1.39b2
2.1.39
2.1.40
2.1.41b1
2.1.41b2
2.1.41b3
2.1.41b4
2.1.41b5
2.1.41b6
2.1.41b7
2.1.41
2.1.42
2.1.43b1
2.1.43
2.1.44b1
2.1.44
2.1.45a1
2.1.45a2
2.1.45a3
2.1.45a4
2.1.45b1
2.1.45b2
2.1.45b3
2.1.45b4
2.1.45b5
2.1.45b6
2.1.45rc1
2.1.45rc2
2.1.45
2.1.46rc1
2.1.46
2.1.47rc1
2.1.47rc2
2.1.47
2.1.48rc1
2.1.48rc2
2.1.48
2.1.49
2.1.50b1
2.1.50b2
2.1.50b3
2.1.50b4
2.1.50b5
2.1.50b6
2.1.50b7
2.1.50b8
2.1.50b9
2.1.50rc1
2.1.50rc2
2.1.50rc3
2.1.50rc4
2.1.50
2.1.51rc1
2.1.51rc2
2.1.51
2.1.52rc1
2.1.52rc2
2.1.52rc3
2.1.52
2.1.53rc1
2.1.53rc2
2.1.53
2.1.54rc1
2.1.54rc2
2.1.54rc3
2.1.54
2.1.55b1
2.1.55b2
2.1.55b3
2.1.55b4
2.1.55b6
2.1.55b7
2.1.55rc1
2.1.55rc2
2.1.55
2.1.56rc1
2.1.56
2.1.57b1
2.1.57rc1
2.1.57
2.1.58
2.1.59
2.1.60
2.1.61b1
2.1.61b2
2.1.61
2.1.62b1
2.1.62rc1
2.1.62
2.1.63
2.1.64
2.1.65
2.1.66b1
2.1.66rc1
2.1.66
23.*
23.10b1
23.10b2
23.10b3
23.10b4
23.10b5
23.10b6
23.10rc1
23.10rc2
23.10rc3
23.10
23.10.1rc1
23.10.1rc2
23.10.1
23.12b1
23.12b2
23.12b3
23.12rc1
23.12
23.12.1
24.*
24.4rc1
24.4rc2
24.4
24.4.1

Database specific

source
"https://github.com/pypa/advisory-database/blob/main/vulns/anki/PYSEC-2026-1118.yaml"