Cyber Resilience

CVE-2026-4755

Critical

Published: 24 March 2026

Published
24 March 2026
Modified
26 March 2026
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0028 19.9th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-4755 is a critical-severity Improper Input Validation (CWE-20) vulnerability in Molotovcherry Android-Imagemagick7. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 19.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-4755 is a CWE-20 (Improper Input Validation) vulnerability in the MolotovCherry Android-ImageMagick7 library. This issue affects versions of Android-ImageMagick7 prior to 7.1.2-11. The vulnerability carries a CVSS v3.1 base score of 9.8, indicating critical severity due to its potential for high impact on confidentiality, integrity, and availability.

Remote attackers can exploit this vulnerability over the network with low complexity, requiring no privileges or user interaction. Successful exploitation allows unauthenticated adversaries to achieve high-impact effects, including unauthorized access to sensitive data, modification of system resources, and disruption of service.

Mitigation is addressed in the referenced GitHub pull request at https://github.com/MolotovCherry/Android-ImageMagick7/pull/193, which corresponds to the release of version 7.1.2-11. Security practitioners should update affected Android-ImageMagick7 installations to this version or later to remediate the issue.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

CWE-20 vulnerability in MolotovCherry Android-ImageMagick7.This issue affects Android-ImageMagick7: before 7.1.2-11.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

The vulnerability allows remote, unauthenticated attackers to exploit a public-facing application component (ImageMagick library) over the network with no user interaction, directly mapping to T1190: Exploit Public-Facing Application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-4756Same product: Molotovcherry Android-Imagemagick7
CVE-2026-33854Same product: Molotovcherry Android-Imagemagick7
CVE-2026-33853Same product: Molotovcherry Android-Imagemagick7
CVE-2026-33855Same product: Molotovcherry Android-Imagemagick7
CVE-2026-33852Same product: Molotovcherry Android-Imagemagick7
CVE-2026-33856Same product: Molotovcherry Android-Imagemagick7
CVE-2025-48913Shared CWE-20
CVE-2025-67484Shared CWE-20
CVE-2026-23489Shared CWE-20
CVE-2025-54385Shared CWE-20

Affected Assets

molotovcherry
android-imagemagick7
≤ 7.1.2-11

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly addresses remediation by requiring timely patching of the improper input validation flaw in Android-ImageMagick7 prior to version 7.1.2-11.

prevent

Enforces comprehensive input validation for image data processed by the vulnerable library, countering the core CWE-20 improper input validation issue.

detect

Vulnerability scanning identifies the presence of CVE-2026-4755 in system components, enabling targeted remediation.

References