Description
ImageMagick is free and open-source software used for editing and manipulating digital images. The shipped "secure" security policy includes a rule intended to prevent reading/writing from standard streams. However, ImageMagick also supports fd:<n> pseudo-filenames (e.g., fd:0, fd:1). Prior to versions 7.1.2-15 and 6.9.13-40, this path form is not blocked by the secure policy templates, and therefore bypasses the protection goal of "no stdin/stdout." Versions 7.1.2-15 and 6.9.13-40 contain a patch by including a change to the more secure policies by default. As a workaround, add the change to one's security policy manually.
Published: 2026-02-24
Score: 5.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized access to stdin/stdout via policy bypass
Action: Apply Patch
AI Analysis

Impact

The vulnerability allows an attacker to override ImageMagick’s secure policy and access standard input and output streams by using the fd: pseudo-filename syntax (e.g., fd:0, fd:1). This bypass of the policy can lead to unintended data reads or writes, exposing sensitive information or permitting malicious content to be injected through the standard streams. The weakness is an improper access control flaw (CWE-284) and an information transfer flaw (CWE-184). The impact is therefore a moderate level of data exposure and potential misuse of the image processing service.

Affected Systems

ImageMagick installations built on versions older than 7.1.2‑15 or 6.9.13‑40 are vulnerable. The flaw resides in the default security policy file, config/policy-secure.xml, where the rule that blocks standard stream access does not apply to fd: references. The affected product is the ImageMagick image manipulation library and its associated command-line tools.

Risk and Exploitability

The CVSS score of 5.9 indicates a moderate risk. The EPSS score of less than 1% suggests a low probability of exploitation at this time, and the vulnerability is not included in CISA’s Known Exploited Vulnerabilities catalog. The likely attack vector is local or remote through any application that accepts user-supplied image data and passes it to ImageMagick with standard stream operations; an attacker who can craft such input can read from or write to the process’s stdin or stdout.

Generated by OpenCVE AI on April 18, 2026 at 10:59 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade ImageMagick to at least version 7.1.2‑15 or 6.9.13‑40, which include the policy change that blocks fd: pseudo-filenames by default.
  • If an upgrade is not possible, manually edit the config/policy-secure.xml file to add a rule that disallows fd: pseudo-filenames from accessing standard streams.
  • Consider tightening the application’s file handling to avoid passing standard streams to ImageMagick in untrusted contexts.

Generated by OpenCVE AI on April 18, 2026 at 10:59 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6158-1 imagemagick security update
Github GHSA Github GHSA GHSA-xwc6-v6g8-pw2h ImageMagick's Security Policy Bypass through config/policy-secure.xml via "fd handler" leads to stdin/stdout access
History

Wed, 25 Feb 2026 12:00:00 +0000

Type Values Removed Values Added
Weaknesses NVD-CWE-noinfo
CPEs cpe:2.3:a:imagemagick:imagemagick:*:*:*:*:*:*:*:*

Tue, 24 Feb 2026 12:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-184
References
Metrics threat_severity

None

 threat_severity

Moderate

Tue, 24 Feb 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Imagemagick
Imagemagick imagemagick
Vendors & Products Imagemagick
Imagemagick imagemagick

Tue, 24 Feb 2026 02:00:00 +0000

Type Values Removed Values Added
Description ImageMagick is free and open-source software used for editing and manipulating digital images. The shipped "secure" security policy includes a rule intended to prevent reading/writing from standard streams. However, ImageMagick also supports fd:<n> pseudo-filenames (e.g., fd:0, fd:1). Prior to versions 7.1.2-15 and 6.9.13-40, this path form is not blocked by the secure policy templates, and therefore bypasses the protection goal of "no stdin/stdout." Versions 7.1.2-15 and 6.9.13-40 contain a patch by including a change to the more secure policies by default. As a workaround, add the change to one's security policy manually.
Title ImageMagick's Security Policy Bypass through config/policy-secure.xml via "fd handler" leads to stdin/stdout access
Weaknesses CWE-284
References
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L'}

Subscriptions

Imagemagick Imagemagick
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-26T21:33:40.025Z

Reserved: 2026-02-09T17:13:54.067Z

Link: CVE-2026-25966

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-02-24T02:16:01.330

Modified: 2026-02-25T11:59:20.327

Link: CVE-2026-25966

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-02-24T01:27:53Z

Links: CVE-2026-25966 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T11:00:05Z

Weaknesses