CVE-2026-56379

ImageMagick - Command Injection via SVG Decoder

Published: 6/23/2026 Last updated: 6/23/2026 Reserved: 6/21/2026

ImageMagick before 7.1.2-15 and 6.9.13-40 contains a command injection vulnerability in the SVG decoder that allows attackers to inject arbitrary MVG drawing commands. Attackers can craft malicious SVG files with injected Magick Vector Graphics commands that execute during rendering.

CNA assigner: VulnCheck (83251b91-4cc7-4094-a5c7-464a1b83ea10) Requested by: n/a

Metrics

Version	Score	Severity	Vector String
4.0	0	No	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:N
3.1	0	No	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N

Opam packages affected (2)

conf-libMagickCore ocsigen-start

Products affected (2)

Product	Vendor	Version
ImageMagick	ImageMagick	Android-10
ImageMagick	ImageMagick	n/a

References (2)

https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-xpg8-7m6m-jf56
https://www.vulncheck.com/advisories/imagemagick-command-injection-via-svg-decoder

Credits (1)

2 phenggeler