CVE-2025-66633
Published: 17 March 2026
Summary
CVE-2025-66633 is a medium-severity Out-of-bounds Read (CWE-125) vulnerability in Canva Affinity. Its CVSS base score is 6.1 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Malicious File (T1204.002); ranked at the 3.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2025-66633 is an out-of-bounds read vulnerability (CWE-125) in the EMF functionality of Canva Affinity software. Published on 2026-03-17, it carries a CVSS v3.1 base score of 6.1 (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:L). The issue arises when processing a specially crafted EMF file, which triggers an out-of-bounds read that could potentially disclose sensitive information.
An attacker with local access can exploit this vulnerability by tricking a user into opening a maliciously crafted EMF file through the affected Canva Affinity component. No special privileges are required, though the attack has low complexity and relies on user interaction. Successful exploitation enables high-impact confidentiality loss, such as memory contents leakage, with low availability impact and no integrity impact.
Mitigation details are available in vendor advisories, including the Cisco Talos Intelligence report at https://talosintelligence.com/vulnerability_reports/TALOS-2025-2313 (also at https://www.talosintelligence.com/vulnerability_reports/TALOS-2025-2313) and Canva's security update at https://trust.canva.com/?tcuUid=1f728b0d-17f3-4c9c-97e9-6662b769eb62. Security practitioners should consult these for patching instructions and workarounds.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-208807
Vulnerability details
An out-of-bounds read vulnerability exists in the EMF functionality of Canva Affinity. By using a specially crafted EMF file, an attacker could exploit this vulnerability to perform an out-of-bounds read, potentially leading to the disclosure of sensitive information.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability is triggered by user opening a crafted EMF file, directly enabling T1204.002 (User Execution: Malicious File) for local info disclosure.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
SI-2 requires timely flaw remediation, directly addressing this out-of-bounds read vulnerability through patching as specified in vendor advisories.
RA-5 mandates vulnerability scanning and monitoring to identify and mitigate this specific EMF parsing flaw in Canva Affinity before exploitation.
SI-16 implements memory protections that can mitigate information disclosure from out-of-bounds reads by safeguarding memory confidentiality and integrity.