Skip to main content

Anki CVE-2026-59153

| EUVDEUVD-2026-42112 LOW
Origin Validation Error (CWE-346)
2026-07-07 GitHub_M GHSA-869j-r97x-hx2g
2.1
CVSS 4.0 · Vendor: GitHub_M

Severity by source

Vendor (GitHub_M) PRIMARY
2.1 LOW
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
4.2 MEDIUM

AC:H reflects the dual requirement of Anki running and a non-PNA browser; UI:R for mandatory malicious-site visit; no availability impact evident from the description.

3.1 AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N
4.0 AV:N/AC:L/AT:P/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
A
Scope
X

Lifecycle Timeline

2
Patch available
Jul 07, 2026 - 23:01 EUVD
Analysis Generated
Jul 07, 2026 - 22:10 vuln.today

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 1 pypi packages depend on aqt (1 direct, 0 indirect)

Ecosystem-wide dependent count for version 25.9.3.

DescriptionCVE.org

Anki is a program for creating and reviewing flashcards. Prior to 25.09.3, Anki launches a local HTTP server to serve media files and web pages for parts of its interface, but requests from other origins were not sufficiently blocked. A malicious website could potentially trigger side-effecting requests to the local server, with severity varying by browser depending on Private Network Access protections. This issue is fixed in version 25.09.3.

AnalysisAI

Cross-origin request forgery against Anki's local HTTP server allows a malicious website to trigger unauthorized side-effecting requests to the application while it is running on the victim's machine. All Anki versions prior to 25.09.3 are affected (CPE: cpe:2.3:a:ankitects:anki:*:*:*:*:*:*:*:*). …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Victim opens Anki with local HTTP server active
Delivery
Victim browses attacker-controlled website
Exploit
Malicious JS targets localhost Anki server port
Execution
Browser forwards cross-origin request (PNA absent or bypassed)
Persist
Anki server processes unauthorized request
Impact
Limited data disclosure or side-effecting state change

Vulnerability AssessmentAI

Exploitation Exploitation requires three concurrent conditions: (1) the victim must have Anki open and its local HTTP server actively running at the time of the attack; (2) the victim must visit an attacker-controlled webpage in the same browser session; (3) the victim's browser must not enforce Private Network Access (PNA) protections - browsers such as recent Chromium releases with PNA enabled will block the cross-origin localhost request with a preflight rejection, defeating the attack. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 score of 2.1 with vector CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N accurately reflects a low-priority finding. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A victim with Anki running visits an attacker-controlled webpage. The page's JavaScript issues fetch requests targeting the Anki local HTTP server (typically on localhost with a fixed or discoverable port). …
Remediation Vendor-released patch: 25.09.3. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-59153 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy