CVE-2026-59153
Anki's local HTTP server does not sufficiently validate requests
CVSS Score
0.0
EPSS Score
0.2%
EPSS Percentile
8th
Anki is a program for creating and reviewing flashcards. Prior to 25.09.3, Anki launches a local HTTP server to serve media files and web pages for parts of its interface, but requests from other origins were not sufficiently blocked. A malicious website could potentially trigger side-effecting requests to the local server, with severity varying by browser depending on Private Network Access protections. This issue is fixed in version 25.09.3.
| CWE | CWE-346 |
| Vendor | ankitects |
| Product | anki |
| Published | Jul 7, 2026 |
| Last Updated | Jul 8, 2026 |
Stay Ahead of the Next One
Get instant alerts for ankitects anki
Be the first to know when new unknown vulnerabilities affecting ankitects anki are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
Affected Versions
ankitects / anki
< 25.09.3
References
github.com: https://github.com/ankitects/anki/security/advisories/GHSA-869j-r97x-hx2g github.com: https://github.com/ankitects/anki/commit/858e5689d0e4fd24f74856c7e8f245412694a219 github.com: https://github.com/ankitects/anki/releases/tag/25.09.3 x.com: https://x.com/taviso/status/2051310678800253318