PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-25965 ImageMagick CVE debrief

CVE-2026-25965 is a high-severity vulnerability in ImageMagick, a free and open-source software used for editing and manipulating digital images. The vulnerability has a CVSS score of 8.6 and is classified as HIGH. It was published on February 24, 2026, and modified on June 30, 2026. The vulnerability allows local file disclosure (LFI) due to a path traversal issue in ImageMagick's path security policy. This issue enables attackers to bypass policy rules and access sensitive files.

Vendor
ImageMagick
Product
Unknown
CVSS
HIGH 8.6
CISA KEV
Not listed in stored evidence
Original CVE published
2026-02-24
Original CVE updated
2026-06-30
Advisory published
2026-02-24
Advisory updated
2026-06-30

Who should care

Organizations using ImageMagick versions prior to 7.1.2-15 and 6.9.13-40 should be concerned about this vulnerability. Additionally, users who have applied the policy-secure.xml configuration but have not updated their ImageMagick versions are also at risk. It is essential for these organizations to take immediate action to mitigate the vulnerability.

Technical summary

The vulnerability is caused by ImageMagick's path security policy being enforced on the raw filename string before the filesystem resolves it. This allows policy rules to be bypassed, enabling local file disclosure. The issue can be mitigated by updating to ImageMagick versions 7.1.2-15 or 6.9.13-40. Furthermore, adding specific configurations to one's policy can prevent writing to files and ensure that the policy is enforced correctly.

Defensive priority

High priority should be given to updating ImageMagick to versions 7.1.2-15 or 6.9.13-40. Additionally, organizations should review and update their policy configurations to prevent potential bypasses.

Recommended defensive actions

  • Update ImageMagick to version 7.1.2-15 or 6.9.13-40.
  • Review and update policy configurations to prevent potential bypasses.
  • Monitor for any suspicious activity related to ImageMagick.
  • Perform regular vulnerability assessments and penetration testing.
  • Implement compensating controls, such as restricting access to sensitive files.

Evidence notes

The vulnerability was published on February 24, 2026, and modified on June 30, 2026. The CVSS score is 8.6, and the severity is classified as HIGH. The vulnerability affects ImageMagick versions prior to 7.1.2-15 and 6.9.13-40.

Official resources

This article is AI-assisted and based on the supplied source corpus.