Description
Improper handling of symbolic links in the installer of My Image Garden for macOS Version 3.6.8 or earlier may allow a local attacker with login privileges to exploit a specially crafted symbolic link during installation to modify permissions of files for which they would not normally have authorization.
Published: 2026-05-28
Score: 5.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The installer of Canon’s My Image Garden for macOS does not properly validate symbolic links present in its package. When a local user with login privileges installs a specially crafted symlink, the installer is tricked into modifying the permissions of files that the user would normally not have permission to alter. This flaw allows the attacker to gain unauthorized control over protected files, potentially facilitating further compromise or abuse. The weakness is identified as CWE-59, which involves improper handling of pathnames and symbolic links.

Affected Systems

Canon Inc. sells My Image Garden for macOS, and versions 3.6.8 and earlier are affected by this vulnerability. No other products or version ranges are listed in the advisory.

Risk and Exploitability

The CVSS score for this vulnerability is 5.1, indicating moderate severity. EPSS information is not available, so the exact likelihood of exploitation in the wild cannot be quantified. The flaw is not currently listed in the CISA KEV catalog, suggesting no publicly known, active exploitation campaigns. The attack requires the attacker to be a local user with the ability to run the installer, meaning that restricting local installation privileges or using a secure installation process reduces risk.

Generated by OpenCVE AI on May 29, 2026 at 01:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade My Image Garden to a version newer than 3.6.8, ensuring the latest installer mitigates the symlink handling issue.
  • Verify that the installer package comes from Canon’s official website or a trusted source and is not tampered with, thereby guarding against malicious symlink injection.
  • If an immediate upgrade is not possible, perform the installation in a controlled environment where you can pre‑remove or neutralize suspicious symbolic links before running the installer.

Generated by OpenCVE AI on May 29, 2026 at 01:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 29 May 2026 19:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 29 May 2026 16:00:00 +0000

Type Values Removed Values Added
First Time appeared Canon
Canon my Image Garden For Macos
Vendors & Products Canon
Canon my Image Garden For Macos

Fri, 29 May 2026 00:15:00 +0000

Type Values Removed Values Added
Description Improper handling of symbolic links in the installer of My Image Garden for macOS Version 3.6.8 or earlier may allow a local attacker with login privileges to exploit a specially crafted symbolic link during installation to modify permissions of files for which they would not normally have authorization.
Weaknesses CWE-59
References
Metrics cvssV3_1

{'score': 5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:N'}

cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:P/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Canon My Image Garden For Macos
cve-icon MITRE

Status: PUBLISHED

Assigner: Canon

Published:

Updated: 2026-05-29T18:29:40.848Z

Reserved: 2026-04-23T04:25:23.590Z

Link: CVE-2026-6891

cve-icon Vulnrichment

Updated: 2026-05-29T18:29:34.383Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-29T00:16:15.987

Modified: 2026-05-29T14:46:09.837

Link: CVE-2026-6891

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-29T15:47:40Z

Weaknesses