CVE Catalog

CVE-2026-56377

LowCVSS 3.3
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.16%

6th percentile — higher than 6% of all known CVEs

Summary

A vulnerability in ImageMagick before version 7.1.2-24 allows attackers to bypass security policies and create or truncate files that should be blocked. The flaw is due to incorrect policy path validation, enabling file writes outside allowed boundaries.

Risk Assessment

Remote attackers can exploit this vulnerability in sandboxed conversion services to write arbitrary files on the server, potentially leading to data integrity compromise, privilege escalation, or further system attacks.

Recommendation

Immediately upgrade ImageMagick to version 7.1.2-24 or later. Additionally, review and tighten security policy configurations (policy.xml) to mitigate the risk.

Original NVD description (English source)

ImageMagick before 7.1.2-24 contains an incorrect policy check that allows attackers to create or truncate files disallowed by security policies. Remote attackers can bypass path policy restrictions in sandboxed conversion services to write arbitrary files outside intended boundaries.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS