Insecure API Access in Anki Flashcard Program
CVE-2026-58266

6.5MEDIUM

Key Information:

Vendor

Ankitects

Status
Vendor
CVE Published:
7 July 2026

What is CVE-2026-58266?

Anki, a popular flashcard application, allows user scripts to access its internal API through iframes in the editor. Prior to the 25.09.4 release, this vulnerability permitted malicious card packages to exploit the API, enabling attackers to read arbitrary files from the Anki process and exfiltrate sensitive data over the network. This issue was addressed in version 25.09.4, reinforcing the importance of securing API access against unauthorized exploitation.

Affected Version(s)

anki < 25.09.4

References

CVSS V3.1

Score:
6.5
Severity:
MEDIUM
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.