Severity by source
AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
Local invocation bypasses path policy, enabling read (C:L) and write (I:L) to restricted paths; no availability impact described; PR:N as any local user can invoke ImageMagick.
Primary rating from Vendor (GitHub_M).
CVSS VectorVendor: GitHub_M
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
Lifecycle Timeline
2DescriptionCVE.org
In versions prior to 7.1.2-26he, the -concatenate operation is missing policy checks, potentially resulting in both reading and writing to paths disallowed by the security policy. This issue has been fixed in version 7.1.2-26.
AnalysisAI
Policy bypass in ImageMagick's -concatenate operation allows local users to read from and write to filesystem paths that the configured security policy explicitly prohibits. All versions prior to 7.1.2-26 are affected. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires three concurrent conditions: (1) ImageMagick prior to 7.1.2-26 is installed on the target system; (2) a security policy (policy.xml) is configured with path-based restrictions - environments without a configured policy have no guard to bypass and are not meaningfully affected by this specific flaw; (3) the attacker must be able to execute ImageMagick with the `-concatenate` option on the local system, either directly or indirectly via an application that exposes ImageMagick processing. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The official CVSS 3.1 score of 5.5 (AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H) contains a notable internal inconsistency: the vector reports C:N and I:N (no confidentiality or integrity impact) yet the description explicitly states that both reading from and writing to disallowed paths are possible, and the assigned tags include 'Information Disclosure'. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker with the ability to invoke ImageMagick on a shared system - such as a web application that calls ImageMagick to process user-uploaded images - passes a crafted `-concatenate` command that targets a path blocked by policy.xml, such as /etc/passwd or an application secrets directory. Because the policy check is missing, ImageMagick processes the request without error, returning file contents or writing attacker-controlled data to the restricted path. … |
| Remediation | Upgrade ImageMagick to version 7.1.2-26 or later, which introduces the missing policy checks for the `-concatenate` operation. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Imagemagick
View allReadGIFImage in coders/gif.c in ImageMagick 7.0.6-1 and GraphicsMagick 1.3.26 leaves the palette uninitialized when proc
Integer overflow in MagickCore/profile.c in ImageMagick before 7.0.2-1 allows remote attackers to cause a denial of serv
The LABEL coder in ImageMagick before 6.9.3-10 and 7.x before 7.0.1-1 allows remote attackers to read arbitrary files vi
The OpenBlob function in blob.c in GraphicsMagick before 1.3.24 and ImageMagick allows remote attackers to execute arbit
The DCM reader in ImageMagick before 6.9.4-5 and 7.x before 7.0.1-7 allows remote attackers to have unspecified impact b
The ReadDCMImage function in DCM reader in ImageMagick before 6.9.4-5 and 7.x before 7.0.1-7 allows remote attackers to
The DCM reader in ImageMagick before 6.9.4-5 and 7.x before 7.0.1-7 allows remote attackers to have unspecified impact b
ImageMagick 7.0.6-5 has a memory leak vulnerability in ReadWEBPImage in coders/webp.c because memory is not freed in cer
Heap buffer overflow in ImageMagick's XBM image decoder (ReadXBMImage) lets remote attackers write attacker-controlled d
A vulnerability was found in ImageMagick. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable
In ImageMagick 7.0.9-7 Q16, there is a use-after-free in the function MngInfoDiscardObject of coders/png.c, related to R
The ReadMATImageV4 function in coders/mat.c in ImageMagick 7.0.8-7 uses an uninitialized variable, leading to memory cor
Same weakness CWE-73 – External Control of File Name or Path
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-41112