## Summary Anki launches a local HTTP server to serve media files and web pages for parts of its interface. The server fails to validate requests in the following ways: 1. No sufficient validation of the Origin header. 2. Some endpoints are vulnerable to path traversal attacks. This allows malicious websites to exfiltrate local files given a known path. ## Browser impact The severity varies by browser because of Private Network Access (PNA), a newer spec that restricts web pages from making