PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-59153 ankitects CVE debrief

Anki is a program for creating and reviewing flashcards that launches a local HTTP server to serve media files and web pages for parts of its interface. Prior to version 25.09.3, Anki did not sufficiently block requests from other origins, potentially allowing a malicious website to trigger side-effecting requests to the local server. The severity of this issue varies by browser depending on Private Network Access protections. This issue is fixed in version 25.09.3. Users of Anki prior to version 25.09.3 should update to the latest version to prevent potential side-effecting requests from malicious websites. The CVE record was published on 2026-07-07T22:16:54.363Z and has not been modified since then.

Vendor
ankitects
Product
anki
CVSS
LOW 2.1
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-07
Original CVE updated
2026-07-07
Advisory published
2026-07-07
Advisory updated
2026-07-07

Who should care

Users of Anki prior to version 25.09.3 should update to the latest version to prevent potential side-effecting requests from malicious websites. This update is crucial for operators managing Anki installations, as it helps protect against unauthorized access and potential security breaches through the local HTTP server. Additionally, platform administrators and security teams should review their current configurations and ensure that appropriate mitigations are in place, such as restricting access to the local HTTP server and monitoring for suspicious requests.

Technical summary

Anki launches a local HTTP server to serve media files and web pages for parts of its interface. Prior to version 25.09.3, requests from other origins were not sufficiently blocked, allowing a malicious website to potentially trigger side-effecting requests to the local server. The severity of this issue varies by browser depending on Private Network Access protections. This vulnerability can lead to unintended interactions with the local server, potentially resulting in security incidents. The issue is fixed in version 25.09.3, which enhances the blocking of requests from other origins, thereby mitigating the risk.

Defensive priority

Low

Recommended defensive actions

  • Update Anki to version 25.09.3 or later
  • Review and restrict access to the local HTTP server
  • Monitor for suspicious requests to the local server
  • Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up
  • Review the supplied official advisory or CVE record to validate affected scope, severity, and vendor guidance
  • Plan vendor-supported updates or mitigations through normal change control where exposure is confirmed
  • Check relevant monitoring, detection, and logs for exposed assets that need extra review

Evidence notes

The CVE record was published on 2026-07-07T22:16:54.363Z and has not been modified since then. The NVD entry is currently 2.1. The issue is fixed in version 25.09.3. Anki launches a local HTTP server to serve media files and web pages for parts of its interface. Prior to version 25.09.3, requests from other origins were not sufficiently blocked, allowing a malicious website to potentially trigger side-effecting requests to the local server. The severity of this issue varies by browser depending on Private Network Access protections. Users of Anki prior to version 25.09.3 should update to the latest version to prevent potential side-effecting requests from malicious websites.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-07T22:16:54.363Z and has not been modified since then.