Cyber Resilience

CVE-2026-25965

HighUpdated

Published: 24 February 2026

Published
24 February 2026
Modified
30 June 2026
KEV Added
Patch
CVSS Score v3.1 8.6 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
EPSS Score 0.0075 50.4th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-25965 is a high-severity Path Traversal (CWE-22) vulnerability in Imagemagick Imagemagick. Its CVSS base score is 8.6 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 49.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 CM-6 (Configuration Settings) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2026-25965 is a path traversal vulnerability (CWE-22) in ImageMagick, a free and open-source software suite for editing and manipulating digital images. In versions prior to 7.1.2-15 and 6.9.13-40, ImageMagick's path security policy is applied to the raw filename string before filesystem resolution. This allows attackers to bypass policy rules, such as those denying access to /etc/*, by using traversal sequences like "../". The operating system resolves the traversal to open sensitive files, while the policy matcher only evaluates the unnormalized path, permitting unauthorized reads.

The vulnerability carries a CVSS v3.1 base score of 8.6 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N), indicating high severity with network accessibility, low attack complexity, no privileges or user interaction required, and scope change leading to high confidentiality impact. Remote attackers can exploit it by supplying a malicious image file containing traversal paths for processing by ImageMagick, such as in web applications or services that dynamically handle user-uploaded images. Successful exploitation results in local file disclosure (LFI), allowing attackers to read arbitrary sensitive files on the server even when policy-secure.xml is configured.

The GitHub Security Advisory (GHSA-8jvj-p28h-9gm7) confirms that versions 7.1.2-15 and 6.9.13-40 include fixes to prevent unauthorized file reads by properly enforcing policies post-resolution. To fully secure against writes as well, users should add corresponding deny rules to their policy.xml file; ImageMagick plans to include these in its more secure default policies moving forward. Practitioners should upgrade immediately and review custom policy configurations.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-15 and 6.9.13-40, ImageMagick’s path security policy is enforced on the raw filename string before the filesystem resolves it. As a result, a policy…

more

rule such as /etc/* can be bypassed by a path traversal. The OS resolves the traversal and opens the sensitive file, but the policy matcher only sees the unnormalized path and therefore allows the read. This enables local file disclosure (LFI) even when policy-secure.xml is applied. Actions to prevent reading from files have been taken in versions .7.1.2-15 and 6.9.13-40 But it make sure writing is also not possible the following should be added to one's policy. This will also be included in ImageMagick's more secure policies by default.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1005 Data from Local System Collection
Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.
Why these techniques?

Path traversal in ImageMagick enables remote exploitation of public-facing apps handling image uploads (T1190) to read arbitrary local files bypassing policies (T1005).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-53101Same product: Imagemagick Imagemagick
CVE-2026-25987Same product: Imagemagick Imagemagick
CVE-2025-55298Same product: Imagemagick Imagemagick
CVE-2026-23876Same product: Imagemagick Imagemagick
CVE-2026-26284Same product: Imagemagick Imagemagick
CVE-2026-25967Same product: Imagemagick Imagemagick
CVE-2026-25985Same product: Imagemagick Imagemagick
CVE-2026-24481Same product: Imagemagick Imagemagick
CVE-2026-25988Same product: Imagemagick Imagemagick
CVE-2026-25798Same product: Imagemagick Imagemagick

Affected Assets

imagemagick
imagemagick
≤ 6.9.13-40 · 7.0.0-0 — 7.1.2-15

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Remediates the ImageMagick path traversal flaw by requiring timely application of vendor patches to versions 7.1.2-15 or 6.9.13-40.

prevent

Validates filenames and paths in image inputs to block traversal sequences like '../' before ImageMagick processing.

prevent

Enforces secure configuration of ImageMagick's policy.xml with deny rules for sensitive paths like /etc/* to prevent LFI post-filesystem resolution.

References