CVE-2026-56377
LOWImageMagick - Policy Bypass via Incorrect Path Validation
Title source: cnaDescription
ImageMagick before 7.1.2-24 contains an incorrect policy check that allows attackers to create or truncate files disallowed by security policies. Remote attackers can bypass path policy restrictions in sandboxed conversion services to write arbitrary files outside intended boundaries.
References (2)
Core 2
Core References
Vendor Advisory vendor-advisory
GitHub Security Advisory (GHSA-gm48-c7f2-v67p)
https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-gm48-c7f2-v67p
Third Party Advisory third-party-advisory
VulnCheck Advisory: ImageMagick - Policy Bypass via Incorrect Path Validation
https://www.vulncheck.com/advisories/imagemagick-policy-bypass-via-incorrect-path-validation
Scores
CVSS v3
3.3
EPSS
0.0018
EPSS Percentile
7.2%
Attack Vector
LOCAL
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-22
Status
published
Products (5)
ImageMagick/ImageMagick
< 6.9.13-48
imagemagick/imagemagick
< 6.9.13-48
ImageMagick/ImageMagick
< 7.1.2-24
ImageMagick/ImageMagick
6.9.13-48
ImageMagick/ImageMagick
7.1.2-24
Published
Jun 30, 2026
Tracked Since
Jul 01, 2026