CVE-2026-56379
9.2
CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Summary
ImageMagick before 7.1.2-15 and 6.9.13-40 contains a command injection vulnerability in the SVG decoder that allows attackers to inject arbitrary MVG drawing commands. Attackers can craft malicious SVG files with injected Magick Vector Graphics commands that execute during rendering.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| ImageMagick | ImageMagick | 0 < 7.1.2-15 | affected |
| ImageMagick | ImageMagick | 7.1.2-15 | unaffected |
| ImageMagick | ImageMagick | 0 < 6.9.13-40 | affected |
| ImageMagick | ImageMagick | 6.9.13-40 | unaffected |
Weaknesses
- CWE-116: Improper Encoding or Escaping of Output
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: yes
- Technical Impact: partial
ImageMagick: ImageMagick: Arbitrary code execution via SVG decoder command injection
Additional References
- https://access.redhat.com/security/cve/CVE-2026-56379
- https://bugzilla.redhat.com/show_bug.cgi?id=2491700
- https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-56379.json
- https://access.redhat.com/errata/RHSA-2026:32961
References
- https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-xpg8-7m6m-jf56
- https://www.vulncheck.com/advisories/imagemagick-command-injection-via-svg-decoder
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.