CVE-2026-61858

medium

Description

ImageMagick before 7.1.2-26 contains a policy bypass vulnerability in the APNG encoder and external delegates due to missing validation checks. Attackers can write files to disallowed paths by bypassing configured policy restrictions through the APNG encoding process.

References

https://www.vulncheck.com/advisories/imagemagick-before-26-policy-bypass-via-apng-encoder

https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-v3j6-27vc-7pw2

Details

Source: Mitre, NVD

Published: 2026-07-11

Updated: 2026-07-11

Risk Information

CVSS v2

Base Score: 1.7

Vector: CVSS2#AV:L/AC:L/Au:S/C:N/I:P/A:N

Severity: Low

CVSS v3

Base Score: 3.3

Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Severity: Low

CVSS v4

Base Score: 4.8

Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

Severity: Medium