Description
ImageMagick before 7.1.2-15 and 6.9.13-40 contains a command injection vulnerability in the SVG decoder that allows attackers to inject arbitrary MVG drawing commands. Attackers can craft malicious SVG files with injected Magick Vector Graphics commands that execute during rendering.
Published: 2026-06-23
Score: 0 Low
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

ImageMagick prior to 7.1.2-15 and 6.9.13-40 suffers from a command injection flaw in its SVG decoder. Attackers can craft SVG files that embed malicious MVG drawing commands which are executed when the image is rendered. This behavior allows the attacker to execute arbitrary system commands within the context of the ImageMagick process, potentially leading to full compromise of the affected host.

Affected Systems

The flaw affects all installations of ImageMagick that use the SVG decoder and run versions earlier than 7.1.2-15 or 6.9.13-40. Vendors using ImageMagick versions 7.x before the mentioned patch or 6.9.x before 6.9.13-40 build are vulnerable. The vulnerability is present in any environment where ImageMagick processes SVG files without limitation.

Risk and Exploitability

Command injection can be triggered simply by delivering a specially crafted SVG file to an ImageMagick process. Based on the description, it is inferred that the attacker must provide a malicious file, and no additional network privileges are required if the image is processed on a local system. Although an EPSS score is unavailable and the vulnerability has not been catalogued in CISA’s KEV list, the nature of the flaw gives an attacker the ability to run arbitrary code, making the risk significant for any system that accepts untrusted SVG input.

Generated by OpenCVE AI on June 23, 2026 at 14:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade ImageMagick to version 7.1.2-15 or later, or 6.9.13-40 or later.
  • If SVG processing is not required, disable or remove the SVG decoder from the ImageMagick installation.
  • Ensure that only trusted users can provide SVG files, or validate and sanitize SVG input before rendering.

Generated by OpenCVE AI on June 23, 2026 at 14:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 23 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 23 Jun 2026 12:45:00 +0000

Type Values Removed Values Added
Description ImageMagick before 7.1.2-15 and 6.9.13-40 contains a command injection vulnerability in the SVG decoder that allows attackers to inject arbitrary MVG drawing commands. Attackers can craft malicious SVG files with injected Magick Vector Graphics commands that execute during rendering.
Title ImageMagick - Command Injection via SVG Decoder
First Time appeared Imagemagick
Imagemagick imagemagick
Weaknesses CWE-116
CPEs cpe:2.3:a:imagemagick:imagemagick:*:*:*:*:*:*:*:*
Vendors & Products Imagemagick
Imagemagick imagemagick
References
Metrics cvssV3_1

{'score': 0, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N'}

cvssV4_0

{'score': 0, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Imagemagick Imagemagick
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-23T13:58:13.304Z

Reserved: 2026-06-21T02:05:47.495Z

Link: CVE-2026-56379

cve-icon Vulnrichment

Updated: 2026-06-23T13:58:09.792Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-23T14:30:05Z

Weaknesses
  • CWE-116

    Improper Encoding or Escaping of Output