CVE-2026-59153
LOW
2.1
CVSS 4.0
Description
Anki is a program for creating and reviewing flashcards. Prior to 25.09.3, Anki launches a local HTTP server to serve media files and web pages for parts of its interface, but requests from other origins were not sufficiently blocked. A malicious website could potentially trigger side-effecting requests to the local server, with severity varying by browser depending on Private Network Access protections. This issue is fixed in version 25.09.3.
Metadata
Severity & Metrics
2.1
LOW CVSS 4.0
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N
Affected products (1)
| Vendor | Product | Platform | Versions |
|---|---|---|---|
| ankitects | anki | — | < 25.09.3 |
Weakness (CWE)
| CWE | Source | Description |
|---|---|---|
| CWE-346 | cna | CWE-346: Origin Validation Error |
CVSS scores (1)
| Score | Severity | Version | Source | Vector |
|---|---|---|---|---|
| 2.1 | LOW | 4.0 | cna | CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N |
References (4)
- https://github.com/ankitects/anki/security/advisories/GHSA-869j-r97x-hx2g https://github.com/ankitects/anki/security/advisories/GHSA-869j-r97x-hx2g
- https://github.com/ankitects/anki/commit/858e5689d0e4fd24f74856c7e8f245412694a219 https://github.com/ankitects/anki/commit/858e5689d0e4fd24f74856c7e8f245412694a219
- https://github.com/ankitects/anki/releases/tag/25.09.3 https://github.com/ankitects/anki/releases/tag/25.09.3
- https://x.com/taviso/status/2051310678800253318 https://x.com/taviso/status/2051310678800253318