CVE-2026-61858 PUBLISHED

ImageMagick before 7.1.2-26 Policy Bypass via APNG encoder

Assigner: VulnCheck
Reserved: 10.07.2026 Published: 11.07.2026 Updated: 11.07.2026

ImageMagick before 7.1.2-26 contains a policy bypass vulnerability in the APNG encoder and external delegates due to missing validation checks. Attackers can write files to disallowed paths by bypassing configured policy restrictions through the APNG encoding process.

Metrics

CVSS Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
CVSS Score: 4.8

Product Status

Vendor ImageMagick
Product ImageMagick
Versions Default: unaffected
  • affected from 0 to 7.1.2-26 (excl.)
  • Version 7.1.2-26 is unaffected
Vendor ImageMagick
Product ImageMagick
Versions Default: unaffected
  • affected from 0 to 6.9.13-51 (excl.)
  • Version 6.9.13-51 is unaffected

Credits

  • rexpository reporter

References

Problem Types

  • Improper Link Resolution Before File Access ('Link Following') CWE