{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-56379", "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "state": "PUBLISHED", "assignerShortName": "VulnCheck", "dateReserved": "2026-06-21T02:05:47.495Z", "datePublished": "2026-06-23T12:13:05.492Z", "dateUpdated": "2026-06-23T13:58:13.304Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "shortName": "VulnCheck", "dateUpdated": "2026-06-23T12:13:05.492Z"}, "datePublic": "2026-02-23T00:00:00.000Z", "title": "ImageMagick - Command Injection via SVG Decoder", "descriptions": [{"lang": "en", "value": "ImageMagick before 7.1.2-15 and 6.9.13-40 contains a command injection vulnerability in the SVG decoder that allows attackers to inject arbitrary MVG drawing commands. Attackers can craft malicious SVG files with injected Magick Vector Graphics commands that execute during rendering."}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "Improper Encoding or Escaping of Output", "cweId": "CWE-116", "type": "CWE"}]}], "affected": [{"vendor": "ImageMagick", "product": "ImageMagick", "defaultStatus": "unaffected", "versions": [{"version": "0", "status": "affected", "versionType": "semver", "lessThan": "7.1.2-15"}, {"version": "7.1.2-15", "status": "unaffected", "versionType": "semver"}]}, {"vendor": "ImageMagick", "product": "ImageMagick", "defaultStatus": "unaffected", "versions": [{"version": "0", "status": "affected", "versionType": "semver", "lessThan": "6.9.13-40"}, {"version": "6.9.13-40", "status": "unaffected", "versionType": "semver"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:imagemagick:imagemagick:*:*:*:*:*:*:*:*", "versionEndExcluding": "7.1.2-15"}, {"vulnerable": true, "criteria": "cpe:2.3:a:imagemagick:imagemagick:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.9.13-40"}]}]}], "metrics": [{"format": "CVSS", "cvssV4_0": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:N", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 0, "baseSeverity": "NONE"}}, {"format": "CVSS", "cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "NONE", "baseScore": 0, "baseSeverity": "NONE"}}], "references": [{"url": "https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-xpg8-7m6m-jf56", "name": "GitHub Security Advisory (GHSA-xpg8-7m6m-jf56)", "tags": ["vendor-advisory"]}, {"name": "VulnCheck Advisory: ImageMagick - Command Injection via SVG Decoder", "tags": ["third-party-advisory"], "url": "https://www.vulncheck.com/advisories/imagemagick-command-injection-via-svg-decoder"}], "credits": [{"lang": "en", "value": "phenggeler", "type": "reporter"}], "x_generator": {"engine": "vulncheck-endgame"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-06-23T13:58:05.952386Z", "id": "CVE-2026-56379", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-06-23T13:58:13.304Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-56379", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-06-23T13:58:05.952386Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-06-23T13:58:09.792Z"}}], "cna": {"title": "ImageMagick - Command Injection via SVG Decoder", "credits": [{"lang": "en", "type": "reporter", "value": "phenggeler"}], "metrics": [{"format": "CVSS", "cvssV4_0": {"version": "4.0", "baseScore": 0, "attackVector": "NETWORK", "baseSeverity": "NONE", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:N", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE"}}, {"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 0, "attackVector": "NETWORK", "baseSeverity": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "ImageMagick", "product": "ImageMagick", "versions": [{"status": "affected", "version": "0", "lessThan": "7.1.2-15", "versionType": "semver"}, {"status": "unaffected", "version": "7.1.2-15", "versionType": "semver"}], "defaultStatus": "unaffected"}, {"vendor": "ImageMagick", "product": "ImageMagick", "versions": [{"status": "affected", "version": "0", "lessThan": "6.9.13-40", "versionType": "semver"}, {"status": "unaffected", "version": "6.9.13-40", "versionType": "semver"}], "defaultStatus": "unaffected"}], "datePublic": "2026-02-23T00:00:00.000Z", "references": [{"url": "https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-xpg8-7m6m-jf56", "name": "GitHub Security Advisory (GHSA-xpg8-7m6m-jf56)", "tags": ["vendor-advisory"]}, {"url": "https://www.vulncheck.com/advisories/imagemagick-command-injection-via-svg-decoder", "name": "VulnCheck Advisory: ImageMagick - Command Injection via SVG Decoder", "tags": ["third-party-advisory"]}], "x_generator": {"engine": "vulncheck-endgame"}, "descriptions": [{"lang": "en", "value": "ImageMagick before 7.1.2-15 and 6.9.13-40 contains a command injection vulnerability in the SVG decoder that allows attackers to inject arbitrary MVG drawing commands. Attackers can craft malicious SVG files with injected Magick Vector Graphics commands that execute during rendering."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-116", "description": "Improper Encoding or Escaping of Output"}]}], "cpeApplicability": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:imagemagick:imagemagick:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "7.1.2-15"}, {"criteria": "cpe:2.3:a:imagemagick:imagemagick:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "6.9.13-40"}], "operator": "OR"}]}], "providerMetadata": {"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "shortName": "VulnCheck", "dateUpdated": "2026-06-23T12:13:05.492Z"}}}, "cveMetadata": {"cveId": "CVE-2026-56379", "state": "PUBLISHED", "dateUpdated": "2026-06-23T13:58:13.304Z", "dateReserved": "2026-06-21T02:05:47.495Z", "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "datePublished": "2026-06-23T12:13:05.492Z", "assignerShortName": "VulnCheck"}, "dataVersion": "5.2"}

{}

{"bugzilla": {"description": "ImageMagick: ImageMagick: Arbitrary code execution via SVG decoder command injection", "id": "2491700", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2491700"}, "csaw": false, "cvss3": {"cvss3_base_score": "8.1", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "status": "draft"}, "cwe": "CWE-78", "details": ["A flaw was found in ImageMagick. This command injection vulnerability in the SVG (Scalable Vector Graphics) decoder allows a remote attacker to craft malicious SVG files. When these files are processed, the injected Magick Vector Graphics (MVG) commands can execute, potentially leading to arbitrary code execution on the affected system."], "mitigation": {"lang": "en:us", "value": "Restrict ImageMagick processing capabilities via policy.xml, disabling the SVG coder and restricting delegates to prevent injection escalation to OS command execution. Enforce mandatory access control (SELinux/AppArmor) combined with seccomp syscall filtering to block execve. For systemd services, enable NoNewPrivileges, ProtectSystem=strict, ProtectHome=true, and PrivateDevices=true."}, "name": "CVE-2026-56379", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "ImageMagick", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Affected", "package_name": "ImageMagick", "product_name": "Red Hat Enterprise Linux 7"}], "public_date": "2026-06-23T12:13:05Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-56379\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-56379\nhttps://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-xpg8-7m6m-jf56\nhttps://www.vulncheck.com/advisories/imagemagick-command-injection-via-svg-decoder"], "statement": "An Important-rated vulnerability in the default configuration of Mojolicious::Plugin::Web::Auth::OAuth2 allows remote attackers to hijack user sessions. Because the plugin defaults to generating predictable security tokens, an attacker can bypass protections and launch Cross-Site Request Forgery (CSRF) attacks against the application.", "threat_severity": "Important"}