Skip to main content

ImageMagick EUVDEUVD-2026-38441

| CVE-2026-56379 CRITICAL
Improper Encoding or Escaping of Output (CWE-116)
2026-06-23 VulnCheck GHSA-v772-658q-978p
9.2
CVSS 4.0 · Vendor: VulnCheck
Share

Severity by source

Vendor (VulnCheck) PRIMARY
9.2 NONE
CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
8.1 HIGH

Untrusted SVG is processed remotely without auth or interaction (AV:N/PR:N/UI:N), but reliable injection depends on target rendering conditions (AC:H); MVG execution yields high C/I/A within the process scope (S:U).

3.1 AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (VulnCheck).

CVSS VectorVendor: VulnCheck

CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

7
Analysis Updated
Jul 02, 2026 - 16:47 vuln.today
v3 (cvss_changed)
Analysis Updated
Jul 02, 2026 - 16:47 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jul 02, 2026 - 16:37 vuln.today
cvss_changed
CVSS changed
Jul 02, 2026 - 16:37 NVD
9.2 (CRITICAL)
Patch available
Jun 23, 2026 - 14:17 EUVD
Source Code Evidence Fetched
Jun 23, 2026 - 13:12 vuln.today
Analysis Generated
Jun 23, 2026 - 13:12 vuln.today

DescriptionCVE.org

ImageMagick before 7.1.2-15 and 6.9.13-40 contains a command injection vulnerability in the SVG decoder that allows attackers to inject arbitrary MVG drawing commands. Attackers can craft malicious SVG files with injected Magick Vector Graphics commands that execute during rendering.

AnalysisAI

Command injection in ImageMagick's SVG decoder (coders/svg.c) lets attackers smuggle arbitrary MVG (Magick Vector Graphics) drawing commands inside an SVG file that execute when the image is rendered, affecting versions before 7.1.2-15 and 6.9.13-40 (and the Magick.NET bindings before 14.10.3). Because ImageMagick frequently processes untrusted, user-uploaded images on servers, a crafted SVG can achieve high-impact abuse of the internal MVG rendering pipeline. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Craft malicious SVG with injected MVG commands
Delivery
Submit SVG to app that uses ImageMagick
Exploit
SVG decoder converts input to MVG stream
Execution
Injected MVG drawing commands execute during render
Impact
Compromise confidentiality, integrity and availability

Vulnerability AssessmentAI

Exploitation The target application must pass an attacker-supplied SVG file through ImageMagick's internal SVG decoder (coders/svg.c) so that it is converted to MVG and rendered - i.e. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Signals are mixed. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker uploads a specially crafted SVG to a web application that uses ImageMagick to generate thumbnails or convert images; when the server renders the file, injected MVG commands execute within the ImageMagick rendering context, compromising confidentiality, integrity and availability of the processing. No public PoC is currently available, and the CVSS AC:H/AT:P metrics indicate the attacker must satisfy specific conditions for reliable exploitation rather than a one-shot payload.
Remediation Vendor-released patch: upgrade ImageMagick to 7.1.2-15 or later on the 7.x branch, or 6.9.13-40 or later on the 6.x branch; the fixes correspond to upstream commits 9db96365ecab5de69cdec81b9359672b3a827aaa and f63c78b3828933f1cc7cf499390248981af765aa. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

24 hours: Complete inventory of ImageMagick (< 7.1.2-15 or < 6.9.13-40) and Magick.NET (< 14.10.3) installations; disable SVG processing capability as an interim control if not critical to operations. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2017-15277 MEDIUM POC
6.5 Oct 12

ReadGIFImage in coders/gif.c in ImageMagick 7.0.6-1 and GraphicsMagick 1.3.26 leaves the palette uninitialized when proc

CVE-2016-5841 CRITICAL POC
9.8 Dec 13

Integer overflow in MagickCore/profile.c in ImageMagick before 7.0.2-1 allows remote attackers to cause a denial of serv

CVE-2016-3717 MEDIUM POC
5.5 May 05

The LABEL coder in ImageMagick before 6.9.3-10 and 7.x before 7.0.1-1 allows remote attackers to read arbitrary files vi

CVE-2016-5118 CRITICAL
9.8 Jun 10

The OpenBlob function in blob.c in GraphicsMagick before 1.3.24 and ImageMagick allows remote attackers to execute arbit

CVE-2016-5689 CRITICAL POC
9.8 Dec 13

The DCM reader in ImageMagick before 6.9.4-5 and 7.x before 7.0.1-7 allows remote attackers to have unspecified impact b

CVE-2016-5690 CRITICAL POC
9.8 Dec 13

The ReadDCMImage function in DCM reader in ImageMagick before 6.9.4-5 and 7.x before 7.0.1-7 allows remote attackers to

CVE-2016-5691 CRITICAL POC
9.8 Dec 13

The DCM reader in ImageMagick before 6.9.4-5 and 7.x before 7.0.1-7 allows remote attackers to have unspecified impact b

CVE-2017-14138 CRITICAL POC
9.8 Sep 04

ImageMagick 7.0.6-5 has a memory leak vulnerability in ReadWEBPImage in coders/webp.c because memory is not freed in cer

CVE-2026-23876 CRITICAL POC
9.8 Jan 20

Heap buffer overflow in ImageMagick's XBM image decoder (ReadXBMImage) lets remote attackers write attacker-controlled d

CVE-2023-34152 CRITICAL POC
9.8 May 30

A vulnerability was found in ImageMagick. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable

CVE-2019-19952 CRITICAL POC
9.8 Dec 24

In ImageMagick 7.0.9-7 Q16, there is a use-after-free in the function MngInfoDiscardObject of coders/png.c, related to R

CVE-2018-14551 CRITICAL POC
9.8 Jul 23

The ReadMATImageV4 function in coders/mat.c in ImageMagick 7.0.8-7 uses an uninitialized variable, leading to memory cor

Share

EUVD-2026-38441 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy