CVE-2026-61858

LOW

ImageMagick before 7.1.2-26 Policy Bypass via APNG encoder

Title source: cna
STIX 2.1

Description

ImageMagick before 7.1.2-26 contains a policy bypass vulnerability in the APNG encoder and external delegates due to missing validation checks. Attackers can write files to disallowed paths by bypassing configured policy restrictions through the APNG encoding process.

References (2)

Core 2
Core References
Vendor Advisory vendor-advisory
GitHub Security Advisory (GHSA-v3j6-27vc-7pw2)
https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-v3j6-27vc-7pw2
Third Party Advisory third-party-advisory
VulnCheck Advisory: ImageMagick before 7.1.2-26 Policy Bypass via APNG encoder
https://www.vulncheck.com/advisories/imagemagick-before-26-policy-bypass-via-apng-encoder

Scores

CVSS v3 3.3
EPSS 0.0013
EPSS Percentile 3.2%
Attack Vector LOCAL
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Details

CWE
CWE-59
Status published
Products (5)
ImageMagick/ImageMagick < 6.9.13-51
imagemagick/imagemagick < 6.9.13-51
ImageMagick/ImageMagick < 7.1.2-26
ImageMagick/ImageMagick 6.9.13-51
ImageMagick/ImageMagick 7.1.2-26
Published Jul 11, 2026
Tracked Since Jul 11, 2026