Cyber Posture

CVE-2026-20726

MediumPublic PoC

Published: 17 March 2026

Published
17 March 2026
Modified
19 March 2026
KEV Added
Patch
CVSS Score 6.1 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:L
EPSS Score 0.0001 2.5th percentile
Risk Priority 12 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-20726 is a medium-severity Out-of-bounds Read (CWE-125) vulnerability in Canva Affinity. Its CVSS base score is 6.1 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Malicious File (T1204.002); ranked at the 2.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SI-10 (Information Input Validation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Malicious File (T1204.002). What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match
prevent

Directly mitigates the out-of-bounds read vulnerability by requiring timely application of vendor patches for Canva Affinity's EMF processing as advised in Talos and Canva guidance.

SI-16 Memory Protection partial match
prevent

Implements memory protection mechanisms like ASLR and DEP to limit the impact of out-of-bounds reads that could disclose sensitive information.

SI-10 Information Input Validation partial match
prevent

Requires validation of EMF file inputs to detect and reject specially crafted files that trigger the out-of-bounds read vulnerability.

MITRE ATT&CK Enterprise TechniquesAI

T1204.002 Malicious File Execution
An adversary may rely upon a user opening a malicious file in order to gain execution.
attack.mitre.org →
Why these techniques?

Out-of-bounds read in EMF file parser directly enables info disclosure via user-opened malicious file (T1204.002).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

An out-of-bounds read vulnerability exists in the EMF functionality of Canva Affinity. By using a specially crafted EMF file, an attacker could exploit this vulnerability to perform an out-of-bounds read, potentially leading to the disclosure of sensitive information.

Deeper analysisAI

CVE-2026-20726 is an out-of-bounds read vulnerability (CWE-125) in the EMF functionality of Canva Affinity. Published on 2026-03-17, it carries a CVSS v3.1 base score of 6.1 (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:L). The issue arises when processing a specially crafted EMF file, which can trigger an out-of-bounds read and potentially disclose sensitive information.

An attacker with local access can exploit this vulnerability by convincing a user to open a malicious EMF file, requiring low complexity and no privileges but relying on user interaction. Successful exploitation enables a high-impact confidentiality breach through information disclosure, alongside a low availability impact, but no integrity compromise.

Mitigation guidance is available in advisories from Talos Intelligence (TALOS-2025-2324) and Canva's trust center. Security practitioners should consult these references for patching instructions and workarounds specific to Canva Affinity.

Details

CWE(s)
CWE-125

Affected Products

canva
affinity
≤ 3.1.0

CVEs Like This One

CVE-2025-64735Same product: Canva Affinity
CVE-2025-65119Same product: Canva Affinity
CVE-2026-22882Same product: Canva Affinity
CVE-2025-62500Same product: Canva Affinity
CVE-2025-62403Same product: Canva Affinity
CVE-2025-61979Same product: Canva Affinity
CVE-2025-66503Same product: Canva Affinity
CVE-2025-64733Same product: Canva Affinity
CVE-2025-66617Same product: Canva Affinity
CVE-2025-58427Same product: Canva Affinity

References