ImageMagick 6.9.13-48/7.1.2-24: Filename Parsing Bypass via Symlink Read
CVE-2026-49219 Published on June 10, 2026

ImageMagick: Policy Bypass can read disallowed files
ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 6.9.13-48 and 7.1.2-24, an incorrect parsing of the filename can result in a policy bypass and read files disallowed by a security policy using a symlink. This issue has been patched in versions 6.9.13-48 and 7.1.2-24.

NVD

Vulnerability Analysis

CVE-2026-49219 can be exploited with local system access, and requires small amount of user privileges. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have a high impact on confidentiality, with no impact on integrity and availability.

Attack Vector:
LOCAL
Attack Complexity:
LOW
Privileges Required:
LOW
User Interaction:
NONE
Scope:
UNCHANGED
Confidentiality Impact:
HIGH
Integrity Impact:
NONE
Availability Impact:
NONE

Weakness Types

What is a Directory traversal Vulnerability?

The software uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the software does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

CVE-2026-49219 has been classified to as a Directory traversal vulnerability or weakness.

What is a Shell injection Vulnerability?

The software constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

CVE-2026-49219 has been classified to as a Shell injection vulnerability or weakness.

What is an Information Disclosure Vulnerability?

The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

CVE-2026-49219 has been classified to as an Information Disclosure vulnerability or weakness.

What is an AuthZ Vulnerability?

The software performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. This allows attackers to bypass intended access restrictions.

CVE-2026-49219 has been classified to as an AuthZ vulnerability or weakness.


Products Associated with CVE-2026-49219

Want to know whenever a new CVE is published for ImageMagick? stack.watch will email you.

ImageMagick
 

Affected Versions

ImageMagick: