ImageMagick before 7.1.2-26 contains a policy bypass vulnerability in the APNG encoder and external delegates due to missing validation checks. Attackers can write files to disallowed paths by bypassing configured policy restrictions through the APNG encoding process.
https://www.vulncheck.com/advisories/imagemagick-before-26-policy-bypass-via-apng-encoder
https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-v3j6-27vc-7pw2
Published: 2026-07-11
Updated: 2026-07-11
Base Score: 1.7
Vector: CVSS2#AV:L/AC:L/Au:S/C:N/I:P/A:N
Severity: Low
Base Score: 3.3
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Severity: Low
Base Score: 4.8
Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
Severity: Medium