CVE-2026-4755

Critical

Published: 24 March 2026

Published

24 March 2026

Modified

26 March 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0015 34.7th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-4755 is a critical-severity Improper Input Validation (CWE-20) vulnerability in Molotovcherry Android-Imagemagick7. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 34.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly addresses remediation by requiring timely patching of the improper input validation flaw in Android-ImageMagick7 prior to version 7.1.2-11.

SI-10 Information Input Validation good match

prevent

Enforces comprehensive input validation for image data processed by the vulnerable library, countering the core CWE-20 improper input validation issue.

RA-5 Vulnerability Monitoring and Scanning partial match

detect

Vulnerability scanning identifies the presence of CVE-2026-4755 in system components, enabling targeted remediation.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

The vulnerability allows remote, unauthenticated attackers to exploit a public-facing application component (ImageMagick library) over the network with no user interaction, directly mapping to T1190: Exploit Public-Facing Application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

CWE-20 vulnerability in MolotovCherry Android-ImageMagick7.This issue affects Android-ImageMagick7: before 7.1.2-11.

Deeper analysisAI

CVE-2026-4755 is a CWE-20 (Improper Input Validation) vulnerability in the MolotovCherry Android-ImageMagick7 library. This issue affects versions of Android-ImageMagick7 prior to 7.1.2-11. The vulnerability carries a CVSS v3.1 base score of 9.8, indicating critical severity due to its potential for high impact on confidentiality, integrity, and availability.

Remote attackers can exploit this vulnerability over the network with low complexity, requiring no privileges or user interaction. Successful exploitation allows unauthenticated adversaries to achieve high-impact effects, including unauthorized access to sensitive data, modification of system resources, and disruption of service.

Mitigation is addressed in the referenced GitHub pull request at https://github.com/MolotovCherry/Android-ImageMagick7/pull/193, which corresponds to the release of version 7.1.2-11. Security practitioners should update affected Android-ImageMagick7 installations to this version or later to remediate the issue.