Insecure API Access in Anki Flashcard Program
CVE-2026-58266
6.5MEDIUM
What is CVE-2026-58266?
Anki, a popular flashcard application, allows user scripts to access its internal API through iframes in the editor. Prior to the 25.09.4 release, this vulnerability permitted malicious card packages to exploit the API, enabling attackers to read arbitrary files from the Anki process and exfiltrate sensitive data over the network. This issue was addressed in version 25.09.4, reinforcing the importance of securing API access against unauthorized exploitation.
Affected Version(s)
anki < 25.09.4
