PatchSiren cyber security CVE debrief
CVE-2026-58266 ankitects CVE debrief
Anki is a program for creating and reviewing flashcards. Prior to 25.09.4, Anki's webview-based pages communicate with the Rust backend using an internal localhost API, and user scripts included via iframes in the editor can access this API despite protections intended to block reviewer and editor scripts. A malicious imported card package with an embedded iframe can use exposed API methods such as getImageForOcclusion to read arbitrary files accessible to the Anki process and exfiltrate them over the network. This issue is fixed in version 25.09.4. The vulnerability has a CVSS score of 6.5 and is classified as MEDIUM severity.
- Vendor
- ankitects
- Product
- anki
- CVSS
- MEDIUM 6.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-07
- Original CVE updated
- 2026-07-07
- Advisory published
- 2026-07-07
- Advisory updated
- 2026-07-07
Who should care
Users of Anki prior to version 25.09.4 who handle untrusted card packages should verify their installations and ensure they are updated to the latest version. This includes administrators and users who manage Anki applications and data. Additionally, security teams and vulnerability management teams should be aware of this vulnerability and its potential impact.
Technical summary
Anki's webview-based pages communicate with the Rust backend using an internal localhost API. User scripts included via iframes in the editor can access this API despite protections intended to block reviewer and editor scripts. A malicious imported card package with an embedded iframe can use exposed API methods such as getImageForOcclusion to read arbitrary files accessible to the Anki process and exfiltrate them over the network. The fix involves updating to version 25.09.4, which properly restricts access to the internal API.
Defensive priority
Medium priority given the CVSS score of 6.5 and the potential for data exfiltration.
Recommended defensive actions
- Update Anki to version 25.09.4 or later
- Verify the integrity of card packages before importing
- Restrict access to the Anki application and its data
- Monitor for suspicious activity related to Anki usage
- Review compensating controls for exposed systems while remediation is scheduled and verified
- Check relevant monitoring, detection, and logs for exposed assets that need extra review
- Track exceptions, retest remediated assets, and close the item only after evidence is documented
Evidence notes
The CVE record and NVD detail provide information about the vulnerability and its fix. Additional details are available in the referenced GitHub commit, release, and advisory. The vulnerability allows for data exfiltration through exposed API methods such as getImageForOcclusion. Users should verify their installations and ensure they are updated to the latest version. The GitHub commit b2b68d829e853da51b5de8aad6c13b53e90bc20d and release 25.09.4 provide fixes for this issue.
Official resources
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-07T22:16:54.207Z and has not been modified since then.