CVE-2025-62185

low-risk

Published 2025-10-07

In Ankitects Anki before 25.02.5, a crafted shared deck can place a YouTube downloader executable in the media folder, and this is executed for a YouTube link in the deck. The executable name could be youtube-dl.exe or yt-dlp.exe or yt-dlp_x86.exe.

Do I need to act?

0.01% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 6.7/10 Medium

LOCAL / HIGH complexity

Affected Products (1)

Anki

Affected Vendors

Ankitects

References (3)

Patch https://github.com/ankitects/anki/commit/5080451829505842b16d4a50f398ad44560a3e4...

Broken Link https://github.com/ankitects/anki/commit/6213c9b6f99ebda181004f8915b92fe3618b939

Patch https://github.com/ankitects/anki/compare/25.02.4...25.02.5

/ 100

low-risk

Severity 17/34 · Moderate

Exploitability 0/34 · Minimal

Exposure 5/34 · Minimal