๐Ÿ” CVE Alert

CVE-2026-59153

UNKNOWN 0.0

Anki's local HTTP server does not sufficiently validate requests

CVSS Score
0.0
EPSS Score
0.2%
EPSS Percentile
8th

Anki is a program for creating and reviewing flashcards. Prior to 25.09.3, Anki launches a local HTTP server to serve media files and web pages for parts of its interface, but requests from other origins were not sufficiently blocked. A malicious website could potentially trigger side-effecting requests to the local server, with severity varying by browser depending on Private Network Access protections. This issue is fixed in version 25.09.3.

CWE CWE-346
Vendor ankitects
Product anki
Published Jul 7, 2026
Last Updated Jul 8, 2026
Stay Ahead of the Next One

Get instant alerts for ankitects anki

Be the first to know when new unknown vulnerabilities affecting ankitects anki are published โ€” delivered to Slack, Telegram or Discord.

Get Free Alerts โ†’ Free ยท No credit card ยท 60 sec setup

Affected Versions

ankitects / anki
< 25.09.3

References

NVD โ†— CVE.org โ†— EPSS Data โ†—
github.com: https://github.com/ankitects/anki/security/advisories/GHSA-869j-r97x-hx2g github.com: https://github.com/ankitects/anki/commit/858e5689d0e4fd24f74856c7e8f245412694a219 github.com: https://github.com/ankitects/anki/releases/tag/25.09.3 x.com: https://x.com/taviso/status/2051310678800253318