CVE-2026-58266
Received Received - Intake

Anki Localhost API File Read via Malicious Iframe

Vulnerability report for CVE-2026-58266, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-07

Last updated on: 2026-07-07

Assigner: GitHub, Inc.

Description

Anki is a program for creating and reviewing flashcards. Prior to 25.09.4, Anki's webview-based pages communicate with the Rust backend using an internal localhost API, and user scripts included via iframes in the editor can access this API despite protections intended to block reviewer and editor scripts. A malicious imported card package with an embedded iframe can use exposed API methods such as getImageForOcclusion to read arbitrary files accessible to the Anki process and exfiltrate them over the network. This issue is fixed in version 25.09.4.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-07
Last Modified
2026-07-07
Generated
2026-07-08
AI Q&A
2026-07-08
EPSS Evaluated
N/A
NVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
ankis anki 25.09.4

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-346 The product does not properly verify that the source of data or communication is valid.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability exists in Anki versions prior to 25.09.4. Anki uses a webview-based interface that communicates with its Rust backend through an internal localhost API. User scripts included via iframes in the editor are supposed to be blocked from accessing this API, but due to the vulnerability, they can still access it.

A malicious imported card package containing an embedded iframe can exploit this flaw by using exposed API methods such as getImageForOcclusion to read arbitrary files accessible to the Anki process and send them over the network.

This issue was fixed in Anki version 25.09.4.

Impact Analysis

The vulnerability allows a malicious card package to read arbitrary files accessible to the Anki process and exfiltrate them over the network.

This can lead to unauthorized disclosure of sensitive or personal data stored or accessible by Anki on the affected system.

The CVSS score of 6.5 indicates a medium severity impact, with high confidentiality impact but no impact on integrity or availability.

Mitigation Strategies

To mitigate this vulnerability, you should update Anki to version 25.09.4 or later, where the issue has been fixed.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-58266. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart