PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-58266 ankitects CVE debrief

Anki is a program for creating and reviewing flashcards. Prior to 25.09.4, Anki's webview-based pages communicate with the Rust backend using an internal localhost API, and user scripts included via iframes in the editor can access this API despite protections intended to block reviewer and editor scripts. A malicious imported card package with an embedded iframe can use exposed API methods such as getImageForOcclusion to read arbitrary files accessible to the Anki process and exfiltrate them over the network. This issue is fixed in version 25.09.4. The vulnerability has a CVSS score of 6.5 and is classified as MEDIUM severity.

Vendor
ankitects
Product
anki
CVSS
MEDIUM 6.5
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-07
Original CVE updated
2026-07-07
Advisory published
2026-07-07
Advisory updated
2026-07-07

Who should care

Users of Anki prior to version 25.09.4 who handle untrusted card packages should verify their installations and ensure they are updated to the latest version. This includes administrators and users who manage Anki applications and data. Additionally, security teams and vulnerability management teams should be aware of this vulnerability and its potential impact.

Technical summary

Anki's webview-based pages communicate with the Rust backend using an internal localhost API. User scripts included via iframes in the editor can access this API despite protections intended to block reviewer and editor scripts. A malicious imported card package with an embedded iframe can use exposed API methods such as getImageForOcclusion to read arbitrary files accessible to the Anki process and exfiltrate them over the network. The fix involves updating to version 25.09.4, which properly restricts access to the internal API.

Defensive priority

Medium priority given the CVSS score of 6.5 and the potential for data exfiltration.

Recommended defensive actions

  • Update Anki to version 25.09.4 or later
  • Verify the integrity of card packages before importing
  • Restrict access to the Anki application and its data
  • Monitor for suspicious activity related to Anki usage
  • Review compensating controls for exposed systems while remediation is scheduled and verified
  • Check relevant monitoring, detection, and logs for exposed assets that need extra review
  • Track exceptions, retest remediated assets, and close the item only after evidence is documented

Evidence notes

The CVE record and NVD detail provide information about the vulnerability and its fix. Additional details are available in the referenced GitHub commit, release, and advisory. The vulnerability allows for data exfiltration through exposed API methods such as getImageForOcclusion. Users should verify their installations and ensure they are updated to the latest version. The GitHub commit b2b68d829e853da51b5de8aad6c13b53e90bc20d and release 25.09.4 provide fixes for this issue.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-07T22:16:54.207Z and has not been modified since then.