GHSA-26m2-2whw-vfv9 · Severity: medium — ImageMagick before 7.1.2-26 contains a policy bypass vulnerability in the APNG encoder and...
ImageMagick before 7.1.2-26 contains a policy bypass vulnerability in the APNG encoder and external delegates due to missing validation checks. Attackers can write files to disallowed paths by bypassing configured policy restrictions through the APNG encoding process.
Conclusion & alert: CVE-2026-61858 is rated Low Risk (24.8/100): CVSS Medium severity, with low exploitation likelihood (EPSS 0.25%). Mandatory action: Monitor for updates and reassess as exploit intelligence or EPSS changes.
Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.
EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).
| # | Date | Old EPSS score | New EPSS score | Delta (New - Old) |
|---|---|---|---|---|
| 1 | 2026-07-14 | 0.13% | 0.25% | +0.11% |
| 2 | 2026-07-12 | — | 0.13% | — |
Full EPSS history (2 records total)
CVSS metrics for this CVE.
| Base score | Version | Severity | Vector | Exploitability | Impact | Score source |
|---|---|---|---|---|---|---|
| 4.8 | 4.0 | MEDIUM |
|
— | — | [email protected] |
| 3.3 | 3.1 | LOW |
|
1.8 | 1.4 | [email protected] |
| 5.3 | 3.1 | MEDIUM |
|
3.9 | 1.4 | [email protected] |
GHSA-26m2-2whw-vfv9 · Severity: medium — ImageMagick before 7.1.2-26 contains a policy bypass vulnerability in the APNG encoder and...
| vendor | priority | summary | link |
|---|---|---|---|
debian
|
not yet assigned | CVE-2026-61858 not yet assigned priority: Debian including 1 source packages (imagemagick), 5 status rows across 5 suites (bookworm, bullseye, forky, sid, trixie): open 3, resolved 2. | https://security-tracker.debian.org/tracker/CVE-2026-61858 |
redhat
|
low | — | https://access.redhat.com/security/cve/CVE-2026-61858 |
suse
|
medium | CVE-2026-61858 severity moderate: SUSE including 8 source package names (GraphicsMagick, GraphicsMagick-devel, …), 8 product×package rows across 1 product lines (SUSE Linux Enterprise Module for Package Hub 15 SP7): Known Not Affected 8. | https://www.suse.com/security/cve/CVE-2026-61858/ |
ubuntu
|
medium | CVE-2026-61858 medium priority: Ubuntu including 1 source packages (imagemagick), 8 status rows across 8 suites (bionic, focal, jammy, noble, resolute, trusty, upstream, xenial): needs-triage 7, released 1. | https://ubuntu.com/security/CVE-2026-61858 |
| Vendor | Product | Version | Raw CPE |
|---|---|---|---|
| imagemagick | imagemagick | < 6.9.13-51 | cpe:2.3:a:imagemagick:imagemagick:*:*:*:*:*:*:*:* |
| imagemagick | imagemagick | >= 7.0.0-0, < 7.1.2-26 | cpe:2.3:a:imagemagick:imagemagick:*:*:*:*:*:*:*:* |