CVE-2026-61858: ImageMagick before 7.1.2-26 contains a policy bypass vulnerability in the APNG encoder and external delegates due to missing validation checks. Attackers can write files to disallo
ImageMagick before 7.1.2-26 contains a policy bypass vulnerability in the APNG encoder and external delegates due to missing validation checks. Attackers can write files to disallowed paths by bypassing configured policy restrictions through the APNG encoding process.
Details
Original advisory: https://nvd.nist.gov/vuln/detail/CVE-2026-61858
Referenced CVEs
| CVE | CSIRTS overview | External |
|---|---|---|
| CVE-2026-61858 | coverage & exploitation status | NVD · CVE.org |
Recent advisories for ImageMagick
A cluster of recent advisories against the same product widens the attack surface — attackers routinely chain freshly published CVEs on one product, so review these together.
- lowCVE-2026-61870: ImageMagick before 7.1.2-26 contains a memory leak vulnerability in the VIFF encoder when memo…nvd · 2026-07-11
- lowCVE-2026-61861: ImageMagick before 7.1.2-26 contains a use-after-free vulnerability in the FormatMagickCaption…nvd · 2026-07-11
- lowCVE-2026-61857: ImageMagick before 7.1.2-26 contains a heap use-after-free vulnerability caused by missing nul…nvd · 2026-07-11
- lowCVE-2026-61465: ImageMagick before 7.1.2-26 and 6.9.13-51 is missing a check for the allowed memory allocation…nvd · 2026-07-11
- lowCVE-2026-56372: ImageMagick before 7.1.2-19 contains a heap buffer overflow vulnerability in the magnify opera…nvd · 2026-07-11
- lowCVE-2026-56373: ImageMagick before 7.1.2-15 contains a use-after-free vulnerability in the PDB decoder that us…nvd · 2026-07-10
More from NVD Recent CVEs
- lowCVE-2026-61870: ImageMagick before 7.1.2-26 contains a memory leak vulnerability in the VIFF encoder when memo…2026-07-11
- lowCVE-2026-61861: ImageMagick before 7.1.2-26 contains a use-after-free vulnerability in the FormatMagickCaption…2026-07-11
- lowCVE-2026-61857: ImageMagick before 7.1.2-26 contains a heap use-after-free vulnerability caused by missing nul…2026-07-11
- lowCVE-2026-61465: ImageMagick before 7.1.2-26 and 6.9.13-51 is missing a check for the allowed memory allocation…2026-07-11
- mediumCVE-2026-61454: The Grav Admin2 plugin (getgrav/grav-plugin-admin2) before 2.0.4 embeds a global JavaScript va…2026-07-11