{"api_version":"1","generated_at":"2026-07-11T18:35:27+00:00","cve":"CVE-2026-61858","urls":{"html":"https://cve.report/CVE-2026-61858","api":"https://cve.report/api/cve/CVE-2026-61858.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2026-61858","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2026-61858"},"summary":{"title":"ImageMagick before 7.1.2-26 Policy Bypass via APNG encoder","description":"ImageMagick before 7.1.2-26 contains a policy bypass vulnerability in the APNG encoder and external delegates due to missing validation checks. Attackers can write files to disallowed paths by bypassing configured policy restrictions through the APNG encoding process.","state":"PUBLISHED","assigner":"VulnCheck","published_at":"2026-07-11 14:16:24","updated_at":"2026-07-11 14:16:24"},"problem_types":["CWE-59","CWE-59 Improper Link Resolution Before File Access ('Link Following')"],"metrics":[{"version":"4.0","source":"disclosure@vulncheck.com","type":"Secondary","score":"4.8","severity":"MEDIUM","vector":"CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","data":{"version":"4.0","vectorString":"CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","baseScore":4.8,"baseSeverity":"MEDIUM","attackVector":"LOCAL","attackComplexity":"LOW","attackRequirements":"NONE","privilegesRequired":"LOW","userInteraction":"NONE","vulnConfidentialityImpact":"NONE","vulnIntegrityImpact":"LOW","vulnAvailabilityImpact":"NONE","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","subAvailabilityImpact":"NONE","exploitMaturity":"NOT_DEFINED","confidentialityRequirement":"NOT_DEFINED","integrityRequirement":"NOT_DEFINED","availabilityRequirement":"NOT_DEFINED","modifiedAttackVector":"NOT_DEFINED","modifiedAttackComplexity":"NOT_DEFINED","modifiedAttackRequirements":"NOT_DEFINED","modifiedPrivilegesRequired":"NOT_DEFINED","modifiedUserInteraction":"NOT_DEFINED","modifiedVulnConfidentialityImpact":"NOT_DEFINED","modifiedVulnIntegrityImpact":"NOT_DEFINED","modifiedVulnAvailabilityImpact":"NOT_DEFINED","modifiedSubConfidentialityImpact":"NOT_DEFINED","modifiedSubIntegrityImpact":"NOT_DEFINED","modifiedSubAvailabilityImpact":"NOT_DEFINED","Safety":"NOT_DEFINED","Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"NOT_DEFINED","providerUrgency":"NOT_DEFINED"}},{"version":"4.0","source":"CNA","type":"CVSS","score":"4.8","severity":"MEDIUM","vector":"CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N","data":{"attackComplexity":"LOW","attackRequirements":"NONE","attackVector":"LOCAL","baseScore":4.8,"baseSeverity":"MEDIUM","privilegesRequired":"LOW","subAvailabilityImpact":"NONE","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","userInteraction":"NONE","vectorString":"CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N","version":"4.0","vulnAvailabilityImpact":"NONE","vulnConfidentialityImpact":"NONE","vulnIntegrityImpact":"LOW"}},{"version":"3.1","source":"disclosure@vulncheck.com","type":"Primary","score":"3.3","severity":"LOW","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N","data":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N","baseScore":3.3,"baseSeverity":"LOW","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"LOW","availabilityImpact":"NONE"}},{"version":"3.1","source":"CNA","type":"CVSS","score":"3.3","severity":"LOW","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N","data":{"attackComplexity":"LOW","attackVector":"LOCAL","availabilityImpact":"NONE","baseScore":3.3,"baseSeverity":"LOW","confidentialityImpact":"NONE","integrityImpact":"LOW","privilegesRequired":"LOW","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N","version":"3.1"}}],"references":[{"url":"https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-v3j6-27vc-7pw2","name":"https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-v3j6-27vc-7pw2","refsource":"disclosure@vulncheck.com","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.vulncheck.com/advisories/imagemagick-before-26-policy-bypass-via-apng-encoder","name":"https://www.vulncheck.com/advisories/imagemagick-before-26-policy-bypass-via-apng-encoder","refsource":"disclosure@vulncheck.com","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2026-61858","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-61858","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"ImageMagick","product":"ImageMagick","version":"affected 7.1.2-26 semver","platforms":[]},{"source":"CNA","vendor":"ImageMagick","product":"ImageMagick","version":"unaffected 7.1.2-26 semver","platforms":[]},{"source":"CNA","vendor":"ImageMagick","product":"ImageMagick","version":"affected 6.9.13-51 semver","platforms":[]},{"source":"CNA","vendor":"ImageMagick","product":"ImageMagick","version":"unaffected 6.9.13-51 semver","platforms":[]}],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[{"source":"CNA","value":"rexpository","lang":"en"}],"nvd_cpes":[],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"cna":{"affected":[{"defaultStatus":"unaffected","product":"ImageMagick","vendor":"ImageMagick","versions":[{"lessThan":"7.1.2-26","status":"affected","version":"0","versionType":"semver"},{"status":"unaffected","version":"7.1.2-26","versionType":"semver"}]},{"defaultStatus":"unaffected","product":"ImageMagick","vendor":"ImageMagick","versions":[{"lessThan":"6.9.13-51","status":"affected","version":"0","versionType":"semver"},{"status":"unaffected","version":"6.9.13-51","versionType":"semver"}]}],"cpeApplicability":[{"nodes":[{"cpeMatch":[{"criteria":"cpe:2.3:a:imagemagick:imagemagick:*:*:*:*:*:*:*:*","versionEndExcluding":"7.1.2-26","vulnerable":true},{"criteria":"cpe:2.3:a:imagemagick:imagemagick:*:*:*:*:*:*:*:*","versionEndExcluding":"6.9.13-51","vulnerable":true}],"negate":false,"operator":"OR"}]}],"credits":[{"lang":"en","type":"reporter","value":"rexpository"}],"datePublic":"2026-06-26T00:00:00.000Z","descriptions":[{"lang":"en","value":"ImageMagick before 7.1.2-26 contains a policy bypass vulnerability in the APNG encoder and external delegates due to missing validation checks. Attackers can write files to disallowed paths by bypassing configured policy restrictions through the APNG encoding process."}],"metrics":[{"cvssV4_0":{"attackComplexity":"LOW","attackRequirements":"NONE","attackVector":"LOCAL","baseScore":4.8,"baseSeverity":"MEDIUM","privilegesRequired":"LOW","subAvailabilityImpact":"NONE","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","userInteraction":"NONE","vectorString":"CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N","version":"4.0","vulnAvailabilityImpact":"NONE","vulnConfidentialityImpact":"NONE","vulnIntegrityImpact":"LOW"},"format":"CVSS"},{"cvssV3_1":{"attackComplexity":"LOW","attackVector":"LOCAL","availabilityImpact":"NONE","baseScore":3.3,"baseSeverity":"LOW","confidentialityImpact":"NONE","integrityImpact":"LOW","privilegesRequired":"LOW","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N","version":"3.1"},"format":"CVSS"}],"problemTypes":[{"descriptions":[{"cweId":"CWE-59","description":"Improper Link Resolution Before File Access ('Link Following')","lang":"en","type":"CWE"}]}],"providerMetadata":{"dateUpdated":"2026-07-11T13:01:08.621Z","orgId":"83251b91-4cc7-4094-a5c7-464a1b83ea10","shortName":"VulnCheck"},"references":[{"name":"GitHub Security Advisory (GHSA-v3j6-27vc-7pw2)","tags":["vendor-advisory"],"url":"https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-v3j6-27vc-7pw2"},{"name":"VulnCheck Advisory: ImageMagick before 7.1.2-26 Policy Bypass via APNG encoder","tags":["third-party-advisory"],"url":"https://www.vulncheck.com/advisories/imagemagick-before-26-policy-bypass-via-apng-encoder"}],"title":"ImageMagick before 7.1.2-26 Policy Bypass via APNG encoder","x_generator":{"engine":"vulncheck-endgame"}}},"cveMetadata":{"assignerOrgId":"83251b91-4cc7-4094-a5c7-464a1b83ea10","assignerShortName":"VulnCheck","cveId":"CVE-2026-61858","datePublished":"2026-07-11T13:01:08.621Z","dateReserved":"2026-07-10T21:53:55.768Z","dateUpdated":"2026-07-11T13:01:08.621Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2026-07-11 14:16:24","lastModifiedDate":"2026-07-11 14:16:24","problem_types":["CWE-59","CWE-59 Improper Link Resolution Before File Access ('Link Following')"],"metrics":{"cvssMetricV40":[{"source":"disclosure@vulncheck.com","type":"Secondary","cvssData":{"version":"4.0","vectorString":"CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","baseScore":4.8,"baseSeverity":"MEDIUM","attackVector":"LOCAL","attackComplexity":"LOW","attackRequirements":"NONE","privilegesRequired":"LOW","userInteraction":"NONE","vulnConfidentialityImpact":"NONE","vulnIntegrityImpact":"LOW","vulnAvailabilityImpact":"NONE","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","subAvailabilityImpact":"NONE","exploitMaturity":"NOT_DEFINED","confidentialityRequirement":"NOT_DEFINED","integrityRequirement":"NOT_DEFINED","availabilityRequirement":"NOT_DEFINED","modifiedAttackVector":"NOT_DEFINED","modifiedAttackComplexity":"NOT_DEFINED","modifiedAttackRequirements":"NOT_DEFINED","modifiedPrivilegesRequired":"NOT_DEFINED","modifiedUserInteraction":"NOT_DEFINED","modifiedVulnConfidentialityImpact":"NOT_DEFINED","modifiedVulnIntegrityImpact":"NOT_DEFINED","modifiedVulnAvailabilityImpact":"NOT_DEFINED","modifiedSubConfidentialityImpact":"NOT_DEFINED","modifiedSubIntegrityImpact":"NOT_DEFINED","modifiedSubAvailabilityImpact":"NOT_DEFINED","Safety":"NOT_DEFINED","Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"NOT_DEFINED","providerUrgency":"NOT_DEFINED"}}],"cvssMetricV31":[{"source":"disclosure@vulncheck.com","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N","baseScore":3.3,"baseSeverity":"LOW","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"LOW","availabilityImpact":"NONE"},"exploitabilityScore":1.8,"impactScore":1.4}]},"configurations":[]},"legacy_mitre":{"record":{"CveYear":"2026","CveId":"61858","Ordinal":"1","Title":"ImageMagick before 7.1.2-26 Policy Bypass via APNG encoder","CVE":"CVE-2026-61858","Year":"2026"},"notes":[{"CveYear":"2026","CveId":"61858","Ordinal":"1","NoteData":"ImageMagick before 7.1.2-26 contains a policy bypass vulnerability in the APNG encoder and external delegates due to missing validation checks. Attackers can write files to disallowed paths by bypassing configured policy restrictions through the APNG encoding process.","Type":"Description","Title":"ImageMagick before 7.1.2-26 Policy Bypass via APNG encoder"}]}}}