SCA: security update for Magick.NET-Q16-AnyCPU, Magick.NET-Q16-HDRI-AnyCPU, Magick.NET-Q16-HDRI-OpenMP-arm64, Magick.NET-Q16-HDRI-OpenMP-x64, Magick.NET-Q16-HDRI-arm64, Magick.NET-Q16-HDRI-x64, Magick.NET-Q16-HDRI-x86, Magick.NET-Q16-OpenMP-arm64, Magick.NET-Q16-OpenMP-x64, Magick.NET-Q16-OpenMP-x86, Magick.NET-Q16-arm64, Magick.NET-Q16-x64, Magick.NET-Q16-x86, Magick.NET-Q8-AnyCPU, Magick.NET-Q8-OpenMP-arm64, Magick.NET-Q8-OpenMP-x64, Magick.NET-Q8-arm64, Magick.NET-Q8-x64, Magick.NET-Q8-x86 (GHSA-8jvj-p28h-9gm7)

high Tenable Cloud Security Plugin ID 437959

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to
versions 7.1.2-15 and 6.9.13-40, ImageMagick’s path security policy is enforced on the raw filename string
before the filesystem resolves it. As a result, a policy rule such as /etc/* can be bypassed by a path
traversal. The OS resolves the traversal and opens the sensitive file, but the policy matcher only sees
the unnormalized path and therefore allows the read. This enables local file disclosure (LFI) even when
policy-secure.xml is applied. Actions to prevent reading from files have been taken in versions .7.1.2-15
and 6.9.13-40 But it make sure writing is also not possible the following should be added to one's policy.
This will also be included in ImageMagick's more secure policies by default. (CVE-2026-25965)

See Also

https://github.com/advisories/GHSA-8jvj-p28h-9gm7

Plugin Details

Severity: High

ID: 437959

Version: Revision 1.4

Type: Local

Family: SCA Checks

Published: 2/24/2026

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Low

Score: 3

Percentile: 23.73

Vendor

Vendor Severity: High

CVSS v2

Risk Factor: High

Base Score: 7.8

Temporal Score: 5.8

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:N/A:N

CVSS Score Source: CVE-2026-25965

CVSS v3

Risk Factor: High

Base Score: 7.5

Temporal Score: 6.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 2/24/2026

Vulnerability Publication Date: 2/24/2026

Reference Information

CVE: CVE-2026-25965

cwe: CWE-22