Trust & Security Portal

background-image
Start your security review
View & download sensitive information
ControlK

Overview

Flourish (a wholly-owned subsidiary of Canva) enables everyone to tell stories with data through powerful, easy-to-use visualization tools. Our platform supports a wide range of static and interactive visualizations, trusted by organizations worldwide.

This profile provides an overview of how we protect customer data and maintain a strong security posture. Here you will find details on:

  • Certifications, such as our ISO 27001 certification and Statement of Applicability (SoA).
  • Our Security Overview (Whitepaper) for a clear summary of our security program.
  • Questionnaires with responses to common frameworks, including: CAIQ-Lite, VSA, and SIG-Lite.
  • Summaries of our information security policies and latest penetration test results.

We are committed to transparency and to maintaining the trust of our customers by applying robust security and compliance practices at every level of the platform.

Compliance

GDPR Logo
GDPR
ISO/IEC 27001 Logo
ISO/IEC 27001

Documents

REPORTSPenetration test Report
REPORTSSecurity Overview
COMPLIANCEISO/IEC 27001
SELF-ASSESSMENTSCAIQ Lite
SELF-ASSESSMENTSVSA Full
LEGALCyber Insurance

Reports

Penetration test Report
Security Overview

Self-Assessments

CAIQ
CAIQ Lite
SIG Lite
View more

Data Privacy

Cookies
Data Breach Notifications
Data Privacy Officer
View more

Legal

SubprocessorsAmazon Web Services (AWS)-company-logoAmazon Web Services (AWS)-company-logoAtlassian-company-logoCanva-company-logoCanva-company-logo
Cyber Insurance
Data Processing Agreement
View more

ESG

Anti-Bribery and Corruption
Anti-Modern Slavery
Emissions Management
View more

Subprocessors

Trust & Security Portal Updates

Various vulnerabilities in the EMF functionality of Affinity

Copy link
Vulnerabilities

Security Bulletin

Published Date: 17 March 2026

Vulnerabilities

CVE-2025-66342

  • Description: A type confusion vulnerability exists in the EMF functionality of Affinity. A specially crafted EMF file can trigger this vulnerability, leading to memory corruption.
  • Severity: High
  • CVSS: 7.8 - CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
  • Affected Products and Versions: Affinity Desktop for Windows before 3.1.0 (March 26)

CVE-2025-64301

  • Description: An out-of-bounds write vulnerability exists in the EMF functionality of Affinity. By using a specially crafted EMF file, a threat actor could exploit this vulnerability to perform an out-of-bounds write, leading to memory corruption.
  • Severity: High
  • CVSS: 7.8 - CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
  • Affected Products and Versions: Affinity Desktop for Windows before 3.1.0 (March 26)

CVE-2025-62500

  • Description: An out-of-bounds read vulnerability exists in the EMF functionality of Affinity.
  • Severity: Medium
  • CVSS: 4.4 - CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:L
  • Affected Products and Versions: Affinity Desktop for Windows before 3.1.0 (March 26)

CVE-2025-61979

  • Description: An out-of-bounds read vulnerability exists in the EMF functionality of Affinity.
  • Severity: Medium
  • CVSS: 4.4 - CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:L
  • Affected Products and Versions: Affinity Desktop for Windows before 3.1.0 (March 26)

CVE-2025-64733

  • Description: An out-of-bounds read vulnerability exists in the EMF functionality of Affinity.
  • Severity: Medium
  • CVSS: 4.4 - CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:L
  • Affected Products and Versions: Affinity Desktop for Windows before 3.1.0 (March 26)

CVE-2025-66000

  • Description: An out-of-bounds read vulnerability exists in the EMF functionality of Affinity.
  • Severity: Medium
  • CVSS: 4.4 - CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:L
  • Affected Products and Versions: Affinity Desktop for Windows before 3.1.0 (March 26)

CVE-2025-64776

  • Description: An out-of-bounds read vulnerability exists in the EMF functionality of Affinity.
  • Severity: Medium
  • CVSS: 4.4 - CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:L
  • Affected Products and Versions: Affinity Desktop for Windows before 3.1.0 (March 26)

CVE-2025-64735

  • Description: An out-of-bounds read vulnerability exists in the EMF functionality of Affinity.
  • Severity: Medium
  • CVSS: 4.4 - CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:L
  • Affected Products and Versions: Affinity Desktop for Windows before 3.1.0 (March 26)

CVE-2025-66633

  • Description: An out-of-bounds read vulnerability exists in the EMF functionality of Affinity.
  • Severity: Medium
  • CVSS: 4.4 - CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:L
  • Affected Products and Versions: Affinity Desktop for Windows before 3.1.0 (March 26)

CVE-2025-58427

  • Description: An out-of-bounds read vulnerability exists in the EMF functionality of Affinity.
  • Severity: Medium
  • CVSS: 4.4 - CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:L
  • Affected Products and Versions: Affinity Desktop for Windows before 3.1.0 (March 26)

CVE-2025-66617

  • Description: An out-of-bounds read vulnerability exists in the EMF functionality of Affinity.
  • Severity: Medium
  • CVSS: 4.4 - CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:L
  • Affected Products and Versions: Affinity Desktop for Windows before 3.1.0 (March 26)

CVE-2025-47873

  • Description: An out-of-bounds read vulnerability exists in the EMF functionality of Affinity.
  • Severity: Medium
  • CVSS: 4.4 - CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:L
  • Affected Products and Versions: Affinity Desktop for Windows before 3.1.0 (March 26)

CVE-2025-61952

  • Description: An out-of-bounds read vulnerability exists in the EMF functionality of Affinity.
  • Severity: Medium
  • CVSS: 4.4 - CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:L
  • Affected Products and Versions: Affinity Desktop for Windows before 3.1.0 (March 26)

CVE-2025-66503

  • Description: An out-of-bounds read vulnerability exists in the EMF functionality of Affinity.
  • Severity: Medium
  • CVSS: 4.4 - CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:L
  • Affected Products and Versions: Affinity Desktop for Windows before 3.1.0 (March 26)

CVE-2025-66042

  • Description: An out-of-bounds read vulnerability exists in the EMF functionality of Affinity.
  • Severity: Medium
  • CVSS: 4.4 - CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:L
  • Affected Products and Versions: Affinity Desktop for Windows before 3.1.0 (March 26)

CVE-2025-65119

  • Description: An out-of-bounds read vulnerability exists in the EMF functionality of Affinity.
  • Severity: Medium
  • CVSS: 4.4 - CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:L
  • Affected Products and Versions: Affinity Desktop for Windows before 3.1.0 (March 26)

CVE-2025-62403

  • Description: An out-of-bounds read vulnerability exists in the EMF functionality of Affinity.
  • Severity: Medium
  • CVSS: 4.4 - CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:L
  • Affected Products and Versions: Affinity Desktop for Windows before 3.1.0 (March 26)

CVE-2026-20726

  • Description: An out-of-bounds read vulnerability exists in the EMF functionality of Affinity.
  • Severity: Medium
  • CVSS: 4.4 - CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:L
  • Affected Products and Versions: Affinity Desktop for Windows before 3.1.0 (March 26)

CVE-2026-22882

  • Description: An out-of-bounds read vulnerability exists in the EMF functionality of Affinity.
  • Severity: Medium
  • CVSS: 4.4 - CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:L
  • Affected Products and Versions: Affinity Desktop for Windows before 3.1.0 (March 26)

Remediation Advice

Canva recommends that users upgrade to the latest version of Affinity available from https://www.affinity.studio/get-affinity

Timeline

DateEvent
22 January 2026Submission without vulnerability details made to Canva's Bug Bounty Program by Cisco Talos.
22 January 2026Submission closed by Bug Bounty Program triage for not containing any vulnerability details.
27 January 2026Canva emails Cisco Talos to ask for disclosure of vulnerability details.
28 January 2026Cisco Talos provides vulnerability details to Canva, and Canva confirms vulnerabilities are being assessed.
16 March 2026Fix released by Canva.

Acknowledgements

These vulnerabilities were reported to Canva by KPC of Cisco Talos.

CVE-2025-12792

Copy link
Vulnerabilities

Security Bulletin

Published Date: 13 November 2025
CVE: CVE-2025-12792
Severity: Low
CVSS: 3.2 - CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:L/I:N/A:N
Affected Products and Versions: The Canva for Mac desktop app before version 1.117.1, released through the Mac App Store. The Canva for Mac desktop app distributed through canva.com is not affected.

Details

The Mac App Store distribution of the Canva for Mac desktop app was built without Hardened Runtime. A local threat actor with unprivileged access could execute arbitrary code that inherits the TCC (Transparency, Consent, and Control) permissions assigned to Canva.

Remediation Advice

Canva recommends users upgrade to the latest version of the Canva application via the Mac App Store.

Acknowledgements

This vulnerability was submitted to Canva's Bug Bounty Program by p1tsi.

Built onSafeBase by Drata Logo