CVE-2026-58266

Source
https://cve.org/CVERecord?id=CVE-2026-58266
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-58266.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-58266
Aliases
Downstream
Published
2026-07-07T21:13:42.650Z
Modified
2026-07-10T04:02:29.026710977Z
Severity
  • 6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N CVSS Calculator
Summary
Anki: User scripts in iframes have access to the internal Anki API
Details

Anki is a program for creating and reviewing flashcards. Prior to 25.09.4, Anki's webview-based pages communicate with the Rust backend using an internal localhost API, and user scripts included via iframes in the editor can access this API despite protections intended to block reviewer and editor scripts. A malicious imported card package with an embedded iframe can use exposed API methods such as getImageForOcclusion to read arbitrary files accessible to the Anki process and exfiltrate them over the network. This issue is fixed in version 25.09.4.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/58xxx/CVE-2026-58266.json",
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-346"
    ]
}
References

Affected packages

Git / github.com/ankitects/anki

Affected ranges

Type
GIT
Repo
https://github.com/ankitects/anki
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Fixed
Database specific
{
    "source": [
        "AFFECTED_FIELD",
        "REFERENCES"
    ],
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "25.09.4"
        }
    ]
}

Affected versions

2.*
2.0.10
2.0.11
2.0.12
2.0.13
2.0.29
2.0.32
2.0.33
2.0.34
2.0.35
2.0.4
2.0.5
2.0.6
2.0.7
2.0.8
2.0.9
2.1.0
2.1.1
2.1.10
2.1.11
2.1.12
2.1.13
2.1.14
2.1.15
2.1.16
2.1.2
2.1.20
2.1.22
2.1.24
2.1.25
2.1.26
2.1.28
2.1.29
2.1.3
2.1.30
2.1.31
2.1.32
2.1.33
2.1.36
2.1.37
2.1.38
2.1.4
2.1.41
2.1.42
2.1.45
2.1.46
2.1.47
2.1.5
2.1.50
2.1.51
2.1.52
2.1.53
2.1.54
2.1.55
2.1.56
2.1.57
2.1.58
2.1.59
2.1.6
2.1.60
2.1.61
2.1.62
2.1.63
2.1.64
2.1.65
2.1.66
2.1.7
2.1.8
2.1.9
23.*
23.10
23.10.1
23.12
23.12.1
23.12beta1
23.12beta2
23.12beta3
23.12rc1
24.*
24.04
24.04.2beta1
24.04beta1
24.04rc1
24.04rc2
24.04rc3
24.06
24.06.1
24.06.2
24.06.3
24.06rc1
24.06rc2
24.10beta1
24.10beta2
24.10beta3
24.10beta4
24.10rc1
24.10rc2
24.11
24.11rc1
24.11rc2
25.*
25.01beta1
25.01rc1
25.02
25.02rc1
25.05b1
25.05b2
25.06b1
25.06b4
25.06b5
25.06b6
25.06b7
25.07
25.07.1
25.07.2
25.07.3
25.07.3rc1
25.07.4
25.07.5
25.08b1
25.08b2
25.08b3
25.08b4
25.08b5
25.09
25.09.1
25.09.2
25.09.3
25.09rc1

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-58266.json"