CVE-2026-25965

Name of the Vulnerable Software and Affected Versions ImageMagick versions prior to 7.1.2-15 ImageMagick versions prior to 6.9.13-40

Description ImageMagick is software used for editing and manipulating digital images. Prior to versions 7.1.2-15 and 6.9.13-40, the path security policy is enforced on the raw filename string before the filesystem resolves it. This allows a path traversal, enabling local file disclosure (LFI) even when a policy-secure.xml file is applied. The issue arises because ImageMagick applies security policy checks on the raw, unnormalized filename string before the operating system resolves path traversal sequences. The policy-secure.xml file is used to define security policies.

Recommendations Versions prior to 7.1.2-15 should be updated. Versions prior to 6.9.13-40 should be updated. Adjust policies to restrict writing to further enhance security.