CVE-2026-56377
LowCVSS 3.3Exploitation Probability (EPSS)
Low risk6th percentile — higher than 6% of all known CVEs
Summary
A vulnerability in ImageMagick before version 7.1.2-24 allows attackers to bypass security policies and create or truncate files that should be blocked. The flaw is due to incorrect policy path validation, enabling file writes outside allowed boundaries.
Risk Assessment
Remote attackers can exploit this vulnerability in sandboxed conversion services to write arbitrary files on the server, potentially leading to data integrity compromise, privilege escalation, or further system attacks.
Recommendation
Immediately upgrade ImageMagick to version 7.1.2-24 or later. Additionally, review and tighten security policy configurations (policy.xml) to mitigate the risk.
Original NVD description (English source)
ImageMagick before 7.1.2-24 contains an incorrect policy check that allows attackers to create or truncate files disallowed by security policies. Remote attackers can bypass path policy restrictions in sandboxed conversion services to write arbitrary files outside intended boundaries.

