PatchSiren cyber security CVE debrief
CVE-2026-49219 ImageMagick CVE debrief
CVE-2026-49219 is a vulnerability in ImageMagick, a free and open-source software used for editing and manipulating digital images. Prior to versions 6.9.13-48 and 7.1.2-24, an incorrect parsing of the filename can result in a policy bypass and read files disallowed by a security policy using a symlink. This issue has been patched in versions 6.9.13-48 and 7.1.2-24.
- Vendor
- ImageMagick
- Product
- Unknown
- CVSS
- MEDIUM 5.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-10
- Original CVE updated
- 2026-06-11
- Advisory published
- 2026-06-10
- Advisory updated
- 2026-06-11
Who should care
Users of ImageMagick, particularly those who use it to process images from untrusted sources, should be aware of this vulnerability and take steps to mitigate it.
Technical summary
The vulnerability is caused by an incorrect parsing of the filename, which can lead to a policy bypass and allow reading of files disallowed by a security policy using a symlink. The CVSS score for this vulnerability is 5.5, with a severity of MEDIUM.
Defensive priority
MEDIUM
Recommended defensive actions
- Update ImageMagick to version 6.9.13-48 or 7.1.2-24 or later.
- Use a security policy to restrict access to sensitive files.
Evidence notes
The CVE record and NVD detail can be found at [cve-org] and [nvd], respectively. The vendor advisory can be found at [ref-4].
Official resources
-
CVE-2026-49219 CVE record
CVE.org
-
CVE-2026-49219 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Vendor Advisory
CVE-2026-49219 was published on [cvePublishedAt] and modified on [cveModifiedAt].