Description
ImageMagick before 7.1.2-15 and 6.9.13-40 contains a command injection vulnerability in the SVG decoder that allows attackers to inject arbitrary MVG drawing commands. Attackers can craft malicious SVG files with injected Magick Vector Graphics commands that execute during rendering.
References (6)
Core 6
Core References
Vendor Advisory
https://access.redhat.com/errata/RHSA-2026:32961
Vendor Advisory
https://access.redhat.com/security/cve/CVE-2026-56379
Vendor Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=2491700
Vendor Advisory vendor-advisory
GitHub Security Advisory (GHSA-xpg8-7m6m-jf56)
https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-xpg8-7m6m-jf56
Third Party Advisory third-party-advisory
VulnCheck Advisory: ImageMagick - Command Injection via SVG Decoder
https://www.vulncheck.com/advisories/imagemagick-command-injection-via-svg-decoder
Scores
CVSS v3
8.1
EPSS
0.0089
EPSS Percentile
55.3%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
yes
Technical Impact
partial
Details
CWE
CWE-116
CWE-78
Status
published
Products (5)
ImageMagick/ImageMagick
< 6.9.13-40
imagemagick/imagemagick
< 6.9.13-40
ImageMagick/ImageMagick
< 7.1.2-15
ImageMagick/ImageMagick
6.9.13-40
ImageMagick/ImageMagick
7.1.2-15
Published
Jun 23, 2026
Tracked Since
Jun 23, 2026