« List of all CVEs

CVE-2026-56377

ImageMagick - Policy Bypass via Incorrect Path Validation

Published: 6/30/2026 Last updated: 7/1/2026 Reserved: 6/21/2026

ImageMagick before 7.1.2-24 contains an incorrect policy check that allows attackers to create or truncate files disallowed by security policies. Remote attackers can bypass path policy restrictions in sandboxed conversion services to write arbitrary files outside intended boundaries.

CNA assigner: VulnCheck (83251b91-4cc7-4094-a5c7-464a1b83ea10) Requested by: n/a

Metrics

Version Score Severity Vector String
4.0 4.8 Medium CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
3.1 3.3 Low CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Opam packages affected (2)

conf-libMagickCore ocsigen-start

Products affected (4)

Product Vendor Version
ImageMagick ImageMagick 5.7.33 and prior
ImageMagick ImageMagick 8.0.23 and prior
ImageMagick ImageMagick < 10.0.19043.1237
ImageMagick ImageMagick < 10.0.19042.1237

References (4)

Credits (2)