Description
ImageMagick before 7.1.2-15 and 6.9.13-40 contains a command injection vulnerability in the SVG decoder that allows attackers to inject arbitrary MVG drawing commands. Attackers can craft malicious SVG files with injected Magick Vector Graphics commands that execute during rendering.
Published: 2026-06-23
Score: 9.2 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

ImageMagick versions prior to 7.1.2-15 and 6.9.13-40 suffer from a flaw in the SVG decoder that permits injection of arbitrary MVG drawing commands. When ImageMagick renders a crafted SVG file, these injected commands are executed as part of the rendering process. Because these commands are interpreted locally by the ImageMagick engine, they can alter the rendered output or potentially trigger other unintended behaviors.

Affected Systems

The flaw affects all installations of ImageMagick that use the SVG decoder and run versions earlier than 7.1.2-15 or 6.9.13-40. Vendors using ImageMagick versions 7.x before the mentioned patch or 6.9.x before 6.9.13-40 build are vulnerable. The vulnerability is present in an ImageMagick process. The description indicates that the attacker must provide a malicious file, and no additional network privileges are required beyond the ability to supply a malicious SVG file. The CVSS score is 9.2, indicating high severity, and the EPSS score is < 1%, indicating only a very low probability of exploitation. The vulnerability is not listed in CISA’s KEV catalog. The nature of the flaw allows an attacker to execute arbitrary MVG drawing commands during rendering, making the risk significant for any system that accepts untrusted SVG input.

Risk and Exploitability

The flaw exposes ImageMagick to a command injection that can be triggered by any forged SVG file. The attacker does not need privileged access to the host beyond the ability to provide a file that is processed by ImageMagick. Because the injected commands are interpreted as MVG drawing commands during rendering, the impact is confined to whatever the rendering process can affect—potentially corrupting output or causing denial‑of‑service. The CVSS score of 9.2 is very high, while the EPSS score of < 1 % and absence from KEV suggest it is rarely exploited in the wild. Nevertheless, environments that accept untrusted SVG input remain at risk.

Generated by OpenCVE AI on July 13, 2026 at 05:57 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade ImageMagick to version 7.1.2-15 or later, or 6.9.13-40 or later.
  • If SVG processing is not required, disable or remove the SVG decoder from the ImageMagick installation.
  • Ensure that only trusted users can provide SVG files, or validate and sanitize SVG input before rendering.

Generated by OpenCVE AI on July 13, 2026 at 05:57 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 02 Jul 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 0, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N'}

cvssV4_0

{'score': 0, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:N'}

cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 9.2, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}


Wed, 24 Jun 2026 12:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-78
References
Metrics threat_severity

None

threat_severity

Important


Tue, 23 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Tue, 23 Jun 2026 12:45:00 +0000

Type Values Removed Values Added
Description ImageMagick before 7.1.2-15 and 6.9.13-40 contains a command injection vulnerability in the SVG decoder that allows attackers to inject arbitrary MVG drawing commands. Attackers can craft malicious SVG files with injected Magick Vector Graphics commands that execute during rendering.
Title ImageMagick - Command Injection via SVG Decoder
First Time appeared Imagemagick
Imagemagick imagemagick
Weaknesses CWE-116
CPEs cpe:2.3:a:imagemagick:imagemagick:*:*:*:*:*:*:*:*
Vendors & Products Imagemagick
Imagemagick imagemagick
References
Metrics cvssV3_1

{'score': 0, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N'}

cvssV4_0

{'score': 0, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:N'}


Subscriptions

Imagemagick Imagemagick
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-07-02T14:07:01.497Z

Reserved: 2026-06-21T02:05:47.495Z

Link: CVE-2026-56379

cve-icon Vulnrichment

Updated: 2026-06-30T12:10:42.910Z

cve-icon NVD

No data.

cve-icon Redhat

Severity : Important

Publid Date: 2026-06-23T12:13:05Z

Links: CVE-2026-56379 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-07-13T06:00:04Z

Weaknesses
  • CWE-116

    Improper Encoding or Escaping of Output

  • CWE-78

    Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')