CVE-2026-25965Path Traversal in Imagemagick

CWE-22Path Traversal8 documents7 sources
Severity
7.5HIGHNVD
CNA8.6
EPSS
0.0%
top 95.64%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Imagemagick
Timeline
PublishedFeb 24

Description

ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-15 and 6.9.13-40, ImageMagick’s path security policy is enforced on the raw filename string before the filesystem resolves it. As a result, a policy rule such as /etc/* can be bypassed by a path traversal. The OS resolves the traversal and opens the sensitive file, but the policy matcher only sees the unnormalized path and therefore allows the read. This enables local file discl

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages3 packages

CVEListV5imagemagick/imagemagick< 6.9.13-40+1
NVDimagemagick/imagemagick7.0.0-07.1.2-15+1
Debianimagemagick/imagemagick< 8:6.9.11.60+dfsg-1.3+deb11u10+3

🔴Vulnerability Details

4
GHSA
ImageMagick: Policy bypass through path traversal allows reading restricted content despite secured policy2026-02-24
OSV
CVE-2026-25965: ImageMagick is free and open-source software used for editing and manipulating digital images2026-02-24
CVEList
ImageMagick's policy bypass through path traversal allows reading restricted content despite secured policy2026-02-24
OSV
ImageMagick: Policy bypass through path traversal allows reading restricted content despite secured policy2026-02-24

📋Vendor Advisories

2
Red Hat
ImageMagick: ImageMagick: Local File Disclosure via Path Traversal2026-02-24
Debian
CVE-2026-25965: imagemagick - ImageMagick is free and open-source software used for editing and manipulating d...2026

🕵️Threat Intelligence

1
Wiz
CVE-2026-25965 Impact, Exploitability, and Mitigation Steps | Wiz