PatchSiren

ankitects CVE debriefs

These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.

LOW ankitects CVE published 2026-07-07

CVE-2026-59153

Anki is a program for creating and reviewing flashcards that launches a local HTTP server to serve media files and web pages for parts of its interface. Prior to version 25.09.3, Anki did not sufficiently block requests from other origins, potentially allowing a malicious website to trigger side-effecting requests to the local server. The severity of this issue varies by browser depending on Private Netwo [truncated]

MEDIUM ankitects CVE published 2026-07-07

CVE-2026-58266

Anki is a program for creating and reviewing flashcards. Prior to 25.09.4, Anki's webview-based pages communicate with the Rust backend using an internal localhost API, and user scripts included via iframes in the editor can access this API despite protections intended to block reviewer and editor scripts. A malicious imported card package with an embedded iframe can use exposed API methods such as getIma [truncated]