CVE-2026-25797
MEDIUM
GHSA-rw6c-xp26-225v
CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:L
Lifecycle Timeline
3Description
ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-15 and 6.9.13-40, the ps coders, responsible for writing PostScript files, fails to sanitize the input before writing it into the PostScript header. An attacker can provide a malicous file and inject arbitrary PostScript code. When the resulting file is processed by a printer or a viewer (like Ghostscript), the injected code is interpreted and executed. The html encoder does not properly escape strings that are written to in the html document. An attacker can provide a malicious file and injection arbitrary html code. Versions 7.1.2-15 and 6.9.13-40 contain a patch.
Analysis
Arbitrary code injection in ImageMagick's PostScript and HTML encoders allows attackers to inject malicious code that executes when files are processed by downstream applications like Ghostscript or web viewers. The vulnerability affects versions prior to 7.1.2-15 and 6.9.13-40 due to insufficient input sanitization in the ps and html coders. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 30 days: Identify affected systems and apply vendor patches as part of regular patch cycle. Validate input sanitization for user-controlled parameters.
Sign in for detailed remediation steps.
Priority Score
Vendor Status
Share
External POC / Exploit Code
Leaving vuln.today