Home

Description

Anki is a program for creating and reviewing flashcards. Prior to 25.09.3, Anki launches a local HTTP server to serve media files and web pages for parts of its interface, but requests from other origins were not sufficiently blocked. A malicious website could potentially trigger side-effecting requests to the local server, with severity varying by browser depending on Private Network Access protections. This issue is fixed in version 25.09.3.

PUBLISHED Reserved 2026-07-02 | Published 2026-07-07 | Updated 2026-07-08 | Assigner GitHub_M




LOW: 2.1CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N

Problem types

CWE-346: Origin Validation Error

Product status

< 25.09.3
affected

References

github.com/...s/anki/security/advisories/GHSA-869j-r97x-hx2g

github.com/...ommit/858e5689d0e4fd24f74856c7e8f245412694a219

github.com/ankitects/anki/releases/tag/25.09.3

x.com/taviso/status/2051310678800253318

cve.org (CVE-2026-59153)

nvd.nist.gov (CVE-2026-59153)

Download JSON