Imagemagick vulnerabilities
783 known vulnerabilities affecting imagemagick/imagemagick.
Total CVEs
783
CISA KEV
3
actively exploited
Public exploits
13
Exploited in wild
4
Severity breakdown
CRITICAL55HIGH232MEDIUM461LOW35
Vulnerabilities
Page 1 of 40
CVE-2016-3714P1HIGHCVSS 8.4KEVPoC≤ 6.9.3-9v7.0.0-0+1 more2016-05-05
CVE-2016-3714 [HIGH] CWE-20 CVE-2016-3714: The (1) EPHEMERAL, (2) HTTPS, (3) MVG, (4) MSL, (5) TEXT, (6) SHOW, (7) WIN, and (8) PLT coders in I
The (1) EPHEMERAL, (2) HTTPS, (3) MVG, (4) MSL, (5) TEXT, (6) SHOW, (7) WIN, and (8) PLT coders in ImageMagick before 6.9.3-10 and 7.x before 7.0.1-1 allow remote attackers to execute arbitrary code via shell metacharacters in a crafted image, aka "ImageTragick."
nvdosv
CVE-2016-3715P1MEDIUMCVSS 5.5KEVPoCfixed in 6.9.3-10v7.0.0-0+1 more2016-05-05
CVE-2016-3715 [MEDIUM] CWE-552 CVE-2016-3715: The EPHEMERAL coder in ImageMagick before 6.9.3-10 and 7.x before 7.0.1-1 allows remote attackers to
The EPHEMERAL coder in ImageMagick before 6.9.3-10 and 7.x before 7.0.1-1 allows remote attackers to delete arbitrary files via a crafted image.
nvdosv
CVE-2016-3718P2MEDIUMCVSS 5.5KEVPoCfixed in 6.9.3-10v7.0.0-0+1 more2016-05-05
CVE-2016-3718 [MEDIUM] CWE-918 CVE-2016-3718: The (1) HTTP and (2) FTP coders in ImageMagick before 6.9.3-10 and 7.x before 7.0.1-1 allow remote a
The (1) HTTP and (2) FTP coders in ImageMagick before 6.9.3-10 and 7.x before 7.0.1-1 allow remote attackers to conduct server-side request forgery (SSRF) attacks via a crafted image.
nvdosv
CVE-2016-10057P2HIGHCVSS 7.8ExploitedRansomware≤ 6.9.5-72017-03-23
CVE-2016-10057 [HIGH] CWE-119 CVE-2016-10057: Buffer overflow in the WriteGROUP4Image function in coders/tiff.c in ImageMagick before 6.9.5-8 allo
Buffer overflow in the WriteGROUP4Image function in coders/tiff.c in ImageMagick before 6.9.5-8 allows remote attackers to cause a denial of service (application crash) or have other unspecified impact via a crafted file.
nvdosv
CVE-2022-44268P2MEDIUMCVSS 6.5PoCv7.1.0-492023-02-06
CVE-2022-44268 [MEDIUM] CWE-200 CVE-2022-44268: ImageMagick 7.1.0-49 is vulnerable to Information Disclosure. When it parses a PNG image (e.g., for
ImageMagick 7.1.0-49 is vulnerable to Information Disclosure. When it parses a PNG image (e.g., for resize), the resulting image could have embedded the content of an arbitrary. file (if the magick binary has permissions to read it).
nvdosv
CVE-2022-44267P3MEDIUMCVSS 6.5PoCv7.1.0-492023-02-06
CVE-2022-44267 [MEDIUM] CWE-404 CVE-2022-44267: ImageMagick 7.1.0-49 is vulnerable to Denial of Service. When it parses a PNG image (e.g., for resiz
ImageMagick 7.1.0-49 is vulnerable to Denial of Service. When it parses a PNG image (e.g., for resize), the convert process could be left waiting for stdin input.
nvdosv
CVE-2018-16323P3MEDIUMCVSS 6.5PoCfixed in 6.9.10-9≥ 7.0.0-0, < 7.0.8-92018-09-01
CVE-2018-16323 [MEDIUM] CWE-200 CVE-2018-16323: ReadXBMImage in coders/xbm.c in ImageMagick before 7.0.8-9 leaves data uninitialized when processing
ReadXBMImage in coders/xbm.c in ImageMagick before 7.0.8-9 leaves data uninitialized when processing an XBM file that has a negative pixel value. If the affected code is used as a library loaded into a process that includes sensitive information, that information sometimes can be leaked via the image data.
nvdosv
CVE-2014-2030P2HIGHCVSS 8.8PoCv6.8.8-52020-02-06
CVE-2014-2030 [HIGH] CVE-2014-2030: Stack-based buffer overflow in the WritePSDImage function in coders/psd.c in ImageMagick, possibly 6
Stack-based buffer overflow in the WritePSDImage function in coders/psd.c in ImageMagick, possibly 6.8.8-5, allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted PSD image, involving the L%06ld string, a different vulnerability than CVE-2014-1947.
nvdosv
CVE-2016-5118P2CRITICALCVSS 9.8fixed in 7.0.1-72016-06-10
CVE-2016-5118 [CRITICAL] CVE-2016-5118: The OpenBlob function in blob.c in GraphicsMagick before 1.3.24 and ImageMagick allows remote attack
The OpenBlob function in blob.c in GraphicsMagick before 1.3.24 and ImageMagick allows remote attackers to execute arbitrary code via a | (pipe) character at the start of a filename.
nvdosv
CVE-2026-46522P3HIGHCVSS 7.5PoCfixed in 6.9.13-48≥ 7.0.0-0, < 7.1.2-23+1 more2026-06-10
CVE-2026-46522 [HIGH] CWE-400 CVE-2026-46522: ImageMagick is free and open-source software used for editing and manipulating digital images. Prior
ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2.23 and 6.9.13-48, due to a missing check in the MIFF decoder, a crafted file could cause an infinite loop resulting in CPU exhaustion. Versions 7.1.2.23 and 6.9.13-48 fix the issue.
nvd
CVE-2016-3717P3MEDIUMCVSS 5.5PoC≤ 6.9.3-9v7.0.0-0+1 more2016-05-05
CVE-2016-3717 [MEDIUM] CWE-200 CVE-2016-3717: The LABEL coder in ImageMagick before 6.9.3-10 and 7.x before 7.0.1-1 allows remote attackers to rea
The LABEL coder in ImageMagick before 6.9.3-10 and 7.x before 7.0.1-1 allows remote attackers to read arbitrary files via a crafted image.
nvdosv
CVE-2025-55298P2HIGHCVSS 8.8fixed in 6.9.13-28≥ 7.0.0-0, < 7.1.2-2+1 more2025-08-26
CVE-2025-55298 [HIGH] CWE-123 CVE-2025-55298: ImageMagick is free and open-source software used for editing and manipulating digital images. Prior
ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to ImageMagick versions 6.9.13-28 and 7.1.2-2, a format string bug vulnerability exists in InterpretImageFilename function where user input is directly passed to FormatLocaleString without proper sanitization. An attacker can overwrite arbitrary memory
nvdosv
CVE-2014-1947P3HIGHCVSS 7.8PoC≤ 6.5.42020-02-17
CVE-2014-1947 [HIGH] CWE-787 CVE-2014-1947: Stack-based buffer overflow in the WritePSDImage function in coders/psd.c in ImageMagick 6.5.4 and e
Stack-based buffer overflow in the WritePSDImage function in coders/psd.c in ImageMagick 6.5.4 and earlier allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a large number of layers in a PSD image, involving the L%02ld string, a different vulnerability than CVE-2014-2030.
nvdosv
CVE-2023-34152P2CRITICALCVSS 9.8fixed in 7.1.1-11vImageMagick-6.72023-05-30
CVE-2023-34152 [CRITICAL] CWE-20 CVE-2023-34152: A vulnerability was found in ImageMagick. This security flaw cause a remote code execution vulnerabi
A vulnerability was found in ImageMagick. This security flaw cause a remote code execution vulnerability in OpenBlob with --enable-pipes configured.
nvd
CVE-2016-5239P2CRITICALCVSS 9.8≤ 6.9.3-92017-03-15
CVE-2016-5239 [CRITICAL] CWE-284 CVE-2016-5239: The gnuplot delegate functionality in ImageMagick before 6.9.4-0 and GraphicsMagick allows remote at
The gnuplot delegate functionality in ImageMagick before 6.9.4-0 and GraphicsMagick allows remote attackers to execute arbitrary commands via unspecified vectors.
nvdosv
CVE-2025-53101P2CRITICALCVSS 9.8fixed in 6.9.13-26≥ 7.0.0-0, < 7.1.2-0+1 more2025-07-14
CVE-2025-53101 [CRITICAL] CWE-124 CVE-2025-53101: ImageMagick is free and open-source software used for editing and manipulating digital images. In ve
ImageMagick is free and open-source software used for editing and manipulating digital images. In versions prior to 7.1.2-0 and 6.9.13-26, in ImageMagick's `magick mogrify` command, specifying multiple consecutive `%d` format specifiers in a filename template causes internal pointer arithmetic to generate an address below the beginning of the stac
nvdosv
CVE-2026-25986P3CRITICALCVSS 9.8fixed in 6.9.13-40≥ 7.0.0-0, < 7.1.2-15+1 more2026-02-24
CVE-2026-25986 [CRITICAL] CWE-787 CVE-2026-25986: ImageMagick is free and open-source software used for editing and manipulating digital images. Prior
ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-15 and 6.9.13-40, a heap buffer overflow write vulnerability exists in ReadYUVImage() (coders/yuv.c) when processing malicious YUV 4:2:2 (NoInterlace) images. The pixel-pair loop writes one pixel beyond the allocated row buffer. V
nvdosv
CVE-2026-23876P3CRITICALCVSS 9.8fixed in 6.9.13-38≥ 7.0.0-0, < 7.1.2-13+1 more2026-01-20
CVE-2026-23876 [CRITICAL] CWE-122 CVE-2026-23876: ImageMagick is free and open-source software used for editing and manipulating digital images. Prior
ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-13 and 6.9.13-38, a heap buffer overflow vulnerability in the XBM image decoder (ReadXBMImage) allows an attacker to write controlled data past the allocated heap buffer when processing a maliciously crafted image file. Any operat
nvdosv
CVE-2026-25897P3CRITICALCVSS 9.8fixed in 6.9.13-40≥ 7.0.0-0, < 7.1.2-15+1 more2026-02-24
CVE-2026-25897 [CRITICAL] CWE-122 CVE-2026-25897: ImageMagick is free and open-source software used for editing and manipulating digital images. Prior
ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-15 and 6.9.13-40, an Integer Overflow vulnerability exists in the sun decoder. On 32-bit systems/builds, a carefully crafted image can lead to an out of bounds heap write. Versions 7.1.2-15 and 6.9.13-40 contain a patch.
nvdosv
CVE-2016-3716P3LOWCVSS 3.3PoC≤ 6.9.3-9v7.0.0-0+1 more2016-05-05
CVE-2016-3716 [LOW] CWE-264 CVE-2016-3716: The MSL coder in ImageMagick before 6.9.3-10 and 7.x before 7.0.1-1 allows remote attackers to move
The MSL coder in ImageMagick before 6.9.3-10 and 7.x before 7.0.1-1 allows remote attackers to move arbitrary files via a crafted image.
nvdosv
1 / 40Next →