Skip to main content

ImageMagick EUVDEUVD-2026-41112

| CVE-2026-55628 MEDIUM
External Control of File Name or Path (CWE-73)
2026-07-01 GitHub_M
5.5
CVSS 3.1 · Vendor: GitHub_M
Share

Severity by source

Vendor (GitHub_M) PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
vuln.today AI
4.4 MEDIUM

Local invocation bypasses path policy, enabling read (C:L) and write (I:L) to restricted paths; no availability impact described; PR:N as any local user can invoke ImageMagick.

3.1 AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
4.0 AV:L/AC:L/AT:P/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

2
Patch available
Jul 01, 2026 - 20:02 EUVD
Analysis Generated
Jul 01, 2026 - 18:52 vuln.today

DescriptionCVE.org

In versions prior to 7.1.2-26he, the -concatenate operation is missing policy checks, potentially resulting in both reading and writing to paths disallowed by the security policy. This issue has been fixed in version 7.1.2-26.

AnalysisAI

Policy bypass in ImageMagick's -concatenate operation allows local users to read from and write to filesystem paths that the configured security policy explicitly prohibits. All versions prior to 7.1.2-26 are affected. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify ImageMagick with policy.xml deployed
Delivery
Invoke ImageMagick with `-concatenate` flag
Exploit
Policy check skipped for this operation
Execution
Read or write to policy-disallowed path
Impact
Exfiltrate sensitive file or overwrite restricted target

Vulnerability AssessmentAI

Exploitation Exploitation requires three concurrent conditions: (1) ImageMagick prior to 7.1.2-26 is installed on the target system; (2) a security policy (policy.xml) is configured with path-based restrictions - environments without a configured policy have no guard to bypass and are not meaningfully affected by this specific flaw; (3) the attacker must be able to execute ImageMagick with the `-concatenate` option on the local system, either directly or indirectly via an application that exposes ImageMagick processing. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The official CVSS 3.1 score of 5.5 (AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H) contains a notable internal inconsistency: the vector reports C:N and I:N (no confidentiality or integrity impact) yet the description explicitly states that both reading from and writing to disallowed paths are possible, and the assigned tags include 'Information Disclosure'. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker with the ability to invoke ImageMagick on a shared system - such as a web application that calls ImageMagick to process user-uploaded images - passes a crafted `-concatenate` command that targets a path blocked by policy.xml, such as /etc/passwd or an application secrets directory. Because the policy check is missing, ImageMagick processes the request without error, returning file contents or writing attacker-controlled data to the restricted path. …
Remediation Upgrade ImageMagick to version 7.1.2-26 or later, which introduces the missing policy checks for the `-concatenate` operation. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2017-15277 MEDIUM POC
6.5 Oct 12

ReadGIFImage in coders/gif.c in ImageMagick 7.0.6-1 and GraphicsMagick 1.3.26 leaves the palette uninitialized when proc

CVE-2016-5841 CRITICAL POC
9.8 Dec 13

Integer overflow in MagickCore/profile.c in ImageMagick before 7.0.2-1 allows remote attackers to cause a denial of serv

CVE-2016-3717 MEDIUM POC
5.5 May 05

The LABEL coder in ImageMagick before 6.9.3-10 and 7.x before 7.0.1-1 allows remote attackers to read arbitrary files vi

CVE-2016-5118 CRITICAL
9.8 Jun 10

The OpenBlob function in blob.c in GraphicsMagick before 1.3.24 and ImageMagick allows remote attackers to execute arbit

CVE-2016-5689 CRITICAL POC
9.8 Dec 13

The DCM reader in ImageMagick before 6.9.4-5 and 7.x before 7.0.1-7 allows remote attackers to have unspecified impact b

CVE-2016-5690 CRITICAL POC
9.8 Dec 13

The ReadDCMImage function in DCM reader in ImageMagick before 6.9.4-5 and 7.x before 7.0.1-7 allows remote attackers to

CVE-2016-5691 CRITICAL POC
9.8 Dec 13

The DCM reader in ImageMagick before 6.9.4-5 and 7.x before 7.0.1-7 allows remote attackers to have unspecified impact b

CVE-2017-14138 CRITICAL POC
9.8 Sep 04

ImageMagick 7.0.6-5 has a memory leak vulnerability in ReadWEBPImage in coders/webp.c because memory is not freed in cer

CVE-2026-23876 CRITICAL POC
9.8 Jan 20

Heap buffer overflow in ImageMagick's XBM image decoder (ReadXBMImage) lets remote attackers write attacker-controlled d

CVE-2023-34152 CRITICAL POC
9.8 May 30

A vulnerability was found in ImageMagick. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable

CVE-2019-19952 CRITICAL POC
9.8 Dec 24

In ImageMagick 7.0.9-7 Q16, there is a use-after-free in the function MngInfoDiscardObject of coders/png.c, related to R

CVE-2018-14551 CRITICAL POC
9.8 Jul 23

The ReadMATImageV4 function in coders/mat.c in ImageMagick 7.0.8-7 uses an uninitialized variable, leading to memory cor

Share

EUVD-2026-41112 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy