Policy Bypass Vulnerability in ImageMagick by ImageMagick LLC
CVE-2026-61858

4.8MEDIUM

Key Information:

Vendor
CVE Published:
11 July 2026

What is CVE-2026-61858?

A policy bypass vulnerability exists in ImageMagick prior to version 7.1.2-26 involving the APNG encoder and its interactions with external delegates. This vulnerability arises due to inadequate validation checks, enabling attackers to exploit the encoding process to write files to paths that should be disallowed, circumventing established policy restrictions. Proper mitigation requires upgrading to a patched version of the software.

Affected Version(s)

ImageMagick 0 < 7.1.2-26

ImageMagick 0 < 6.9.13-51

ImageMagick 7.1.2-26

References

CVSS V4

Score:
4.8
Severity:
MEDIUM
Confidentiality:
None
Integrity:
Low
Availability:
None
Attack Vector:
Local
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

rexpository
.