CVE-2026-61858
4.8
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
Summary
ImageMagick before 7.1.2-26 contains a policy bypass vulnerability in the APNG encoder and external delegates due to missing validation checks. Attackers can write files to disallowed paths by bypassing configured policy restrictions through the APNG encoding process.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| ImageMagick | ImageMagick | 0 < 7.1.2-26 | affected |
| ImageMagick | ImageMagick | 7.1.2-26 | unaffected |
| ImageMagick | ImageMagick | 0 < 6.9.13-51 | affected |
| ImageMagick | ImageMagick | 6.9.13-51 | unaffected |
Weaknesses
- CWE-59: Improper Link Resolution Before File Access ('Link Following')
References
- https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-v3j6-27vc-7pw2
- https://www.vulncheck.com/advisories/imagemagick-before-26-policy-bypass-via-apng-encoder
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.