CVE-2026-25965
Published: 24 February 2026
Summary
CVE-2026-25965 is a high-severity Path Traversal (CWE-22) vulnerability in Imagemagick Imagemagick. Its CVSS base score is 8.6 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 49.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 CM-6 (Configuration Settings) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2026-25965 is a path traversal vulnerability (CWE-22) in ImageMagick, a free and open-source software suite for editing and manipulating digital images. In versions prior to 7.1.2-15 and 6.9.13-40, ImageMagick's path security policy is applied to the raw filename string before filesystem resolution. This allows attackers to bypass policy rules, such as those denying access to /etc/*, by using traversal sequences like "../". The operating system resolves the traversal to open sensitive files, while the policy matcher only evaluates the unnormalized path, permitting unauthorized reads.
The vulnerability carries a CVSS v3.1 base score of 8.6 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N), indicating high severity with network accessibility, low attack complexity, no privileges or user interaction required, and scope change leading to high confidentiality impact. Remote attackers can exploit it by supplying a malicious image file containing traversal paths for processing by ImageMagick, such as in web applications or services that dynamically handle user-uploaded images. Successful exploitation results in local file disclosure (LFI), allowing attackers to read arbitrary sensitive files on the server even when policy-secure.xml is configured.
The GitHub Security Advisory (GHSA-8jvj-p28h-9gm7) confirms that versions 7.1.2-15 and 6.9.13-40 include fixes to prevent unauthorized file reads by properly enforcing policies post-resolution. To fully secure against writes as well, users should add corresponding deny rules to their policy.xml file; ImageMagick plans to include these in its more secure default policies moving forward. Practitioners should upgrade immediately and review custom policy configurations.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-7438
Vulnerability details
ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-15 and 6.9.13-40, ImageMagick’s path security policy is enforced on the raw filename string before the filesystem resolves it. As a result, a policy…
more
rule such as /etc/* can be bypassed by a path traversal. The OS resolves the traversal and opens the sensitive file, but the policy matcher only sees the unnormalized path and therefore allows the read. This enables local file disclosure (LFI) even when policy-secure.xml is applied. Actions to prevent reading from files have been taken in versions .7.1.2-15 and 6.9.13-40 But it make sure writing is also not possible the following should be added to one's policy. This will also be included in ImageMagick's more secure policies by default.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Path traversal in ImageMagick enables remote exploitation of public-facing apps handling image uploads (T1190) to read arbitrary local files bypassing policies (T1005).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Remediates the ImageMagick path traversal flaw by requiring timely application of vendor patches to versions 7.1.2-15 or 6.9.13-40.
Validates filenames and paths in image inputs to block traversal sequences like '../' before ImageMagick processing.
Enforces secure configuration of ImageMagick's policy.xml with deny rules for sensitive paths like /etc/* to prevent LFI post-filesystem resolution.