« List of all CVEs

CVE-2026-61858

ImageMagick before 7.1.2-26 Policy Bypass via APNG encoder

Published: 7/11/2026 Last updated: 7/11/2026 Reserved: 7/10/2026

ImageMagick before 7.1.2-26 contains a policy bypass vulnerability in the APNG encoder and external delegates due to missing validation checks. Attackers can write files to disallowed paths by bypassing configured policy restrictions through the APNG encoding process.

CNA assigner: VulnCheck (83251b91-4cc7-4094-a5c7-464a1b83ea10) Requested by: n/a

Metrics

Version Score Severity Vector String
4.0 4.8 Medium CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
3.1 3.3 Low CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Opam packages affected (2)

conf-libMagickCore ocsigen-start

Products affected (2)

Product Vendor Version
ImageMagick ImageMagick < tvOS 12.1.2
ImageMagick ImageMagick 21.0

References (2)

Credits (1)