VDB
CVE-2026-56379
CVE-2026-56379
PUBLISHED
CVSS 9.2 CRITICAL
Reported by VulnCheck · Published June 23, 2026
ImageMagick before 7.1.2-15 and 6.9.13-40 contains a command injection vulnerability in the SVG decoder that allows attackers to inject arbitrary MVG drawing commands. Attackers can craft malicious SVG files with injected Magick Vector Graphics commands that execute during rendering.
Risk Scores
CVSS 4.0
9.2
CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| ImageMagick | ImageMagick | 0, 7.1.2-15 |
| ImageMagick | ImageMagick | 0, 6.9.13-40 |
| Red Hat | Red Hat Enterprise Linux 6 | |
| imagemagick | imagemagick | 0, 0, 0 |
| ImageMagick | ImageMagick | 0, 0, 6.9.13-40 |
| Red Hat | Red Hat Enterprise Linux 6 | |
| Red Hat | Red Hat Enterprise Linux Server Optional (v. 7 ELS) | |
| Red Hat | Red Hat Enterprise Linux Server (v. 7 ELS) | |
| Red Hat | Red Hat Enterprise Linux 7 Extended Lifecycle Support | 0:6.9.10.68-17.el7_9 |
Timeline
- Jun 23, 2026 CVE Published
- Jun 24, 2026 EPSS Score
- Jun 24, 2026 Coalition ESS Score
- Jun 25, 2026 Security Advisory
- Jun 29, 2026 Distribution Patch
- Jun 29, 2026 Security Advisory
- Jul 15, 2026 CVE Updated
References
- GitHub Security Advisory (GHSA-xpg8-7m6m-jf56) vendor-advisory
- VulnCheck Advisory: ImageMagick - Command Injection via SVG Decoder third-party-advisory
- https://access.redhat.com/security/cve/CVE-2026-56379 vdb
- RHBZ#2491700 issue
- https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-56379.json url
- https://access.redhat.com/errata/RHSA-2026:32961 vendor-advisory