CVE-2026-55628
MediumCVSS 5.5Exploitation Probability (EPSS)
Low risk1th percentile — higher than 1% of all known CVEs
Summary
In versions prior to 7.1.2-26he, the `-concatenate` operation lacked security policy checks, potentially allowing reading and writing to paths disallowed by the policy. This issue has been fixed in version 7.1.2-26.
Risk Assessment
An attacker could bypass security policy restrictions, gaining unauthorized access to files or writing malicious data to protected locations, leading to confidentiality and integrity breaches.
Recommendation
Immediately upgrade ImageMagick to version 7.1.2-26 or later, which includes the fix for this vulnerability.
Original NVD description (English source)
In versions prior to 7.1.2-26he, the `-concatenate` operation is missing policy checks, potentially resulting in both reading and writing to paths disallowed by the security policy. This issue has been fixed in version 7.1.2-26.

