CVE-2026-25797

CVSS v3.1

5.7

Medium

Vector

AV:L/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:L

Name of the Vulnerable Software and Affected Versions ImageMagick versions prior to 7.1.2-15 ImageMagick versions prior to 6.9.13-40

Description ImageMagick is software used for editing and manipulating digital images. The ps coders, which handle PostScript files, do not properly sanitize input before including it in the PostScript header. This allows an attacker to inject arbitrary PostScript code through a malicious file. When a printer or viewer, such as Ghostscript, processes the resulting file, the injected code is executed. Additionally, the html encoder does not correctly escape strings written to an html document, enabling an attacker to inject arbitrary html code through a malicious file.

Recommendations Update to ImageMagick version 7.1.2-15 or later. Update to ImageMagick version 6.9.13-40 or later.

Exploit

Fix

Code Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-94

Related Identifiers

CVE-2026-25797

ECHO-CEBD-FB2F-C23E

GHSA-RW6C-XP26-225V

OESA-2026-1452

OESA-2026-1453

OESA-2026-1454

OESA-2026-1455

OESA-2026-1456

OESA-2026-1457

OPENSUSE-SU-2026:10267-1

OPENSUSE-SU-2026:20337-1

SUSE-SU-2026:0851-1

SUSE-SU-2026:0852-1

SUSE-SU-2026:0853-1

SUSE-SU-2026:0854-1

USN-8263-1

Affected Products

Ghostscript

Imagemagick

CVE-2026-25797

Weakness Enumeration

Related Identifiers

Affected Products

References · 161