CVE-2026-56379
HighCVSS 8.1Exploitation Probability (EPSS)
Elevated risk64th percentile — higher than 64% of all known CVEs
Summary
A command injection vulnerability in ImageMagick before versions 7.1.2-15 and 6.9.13-40 exists in the SVG decoder. Attackers can craft malicious SVG files with injected Magick Vector Graphics commands that execute during rendering.
Risk Assessment
The risk involves potential remote code execution by an attacker, which could lead to full compromise of the server or application processing images.
Recommendation
Immediately update ImageMagick to version 7.1.2-15 or later (for branch 7) and 6.9.13-40 or later (for branch 6).
Original NVD description (English source)
ImageMagick before 7.1.2-15 and 6.9.13-40 contains a command injection vulnerability in the SVG decoder that allows attackers to inject arbitrary MVG drawing commands. Attackers can craft malicious SVG files with injected Magick Vector Graphics commands that execute during rendering.

