Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

nvd логотип

CVE-2026-25966

Опубликовано: 24 фев. 2026
Источник: nvd
CVSS3: 5.9
CVSS3: 7.8
EPSS Низкий

Описание

ImageMagick is free and open-source software used for editing and manipulating digital images. The shipped "secure" security policy includes a rule intended to prevent reading/writing from standard streams. However, ImageMagick also supports fd: pseudo-filenames (e.g., fd:0, fd:1). Prior to versions 7.1.2-15 and 6.9.13-40, this path form is not blocked by the secure policy templates, and therefore bypasses the protection goal of "no stdin/stdout." Versions 7.1.2-15 and 6.9.13-40 contain a patch by including a change to the more secure policies by default. As a workaround, add the change to one's security policy manually.

Ссылки

Уязвимые конфигурации

Конфигурация 1

Одно из

cpe:2.3:a:imagemagick:imagemagick:*:*:*:*:*:*:*:*
Версия до 6.9.13-40 (исключая)
cpe:2.3:a:imagemagick:imagemagick:*:*:*:*:*:*:*:*
Версия от 7.0.0-0 (включая) до 7.1.2-15 (исключая)

EPSS

Процентиль: 2%
0.00013
Низкий

5.9 Medium

CVSS3

7.8 High

CVSS3

Дефекты

CWE-284
NVD-CWE-noinfo

Связанные уязвимости

ubuntu логотип

CVE-2026-25966

CVSS3: 5.9
ubuntu
около 1 месяца назад

ImageMagick is free and open-source software used for editing and manipulating digital images. The shipped "secure" security policy includes a rule intended to prevent reading/writing from standard streams. However, ImageMagick also supports fd:<n> pseudo-filenames (e.g., fd:0, fd:1). Prior to versions 7.1.2-15 and 6.9.13-40, this path form is not blocked by the secure policy templates, and therefore bypasses the protection goal of "no stdin/stdout." Versions 7.1.2-15 and 6.9.13-40 contain a patch by including a change to the more secure policies by default. As a workaround, add the change to one's security policy manually.

redhat логотип

CVE-2026-25966

CVSS3: 5.9
redhat
около 1 месяца назад

ImageMagick is free and open-source software used for editing and manipulating digital images. The shipped "secure" security policy includes a rule intended to prevent reading/writing from standard streams. However, ImageMagick also supports fd:<n> pseudo-filenames (e.g., fd:0, fd:1). Prior to versions 7.1.2-15 and 6.9.13-40, this path form is not blocked by the secure policy templates, and therefore bypasses the protection goal of "no stdin/stdout." Versions 7.1.2-15 and 6.9.13-40 contain a patch by including a change to the more secure policies by default. As a workaround, add the change to one's security policy manually.

debian логотип

CVE-2026-25966

CVSS3: 5.9
debian
около 1 месяца назад

ImageMagick is free and open-source software used for editing and mani ...

github логотип

GHSA-xwc6-v6g8-pw2h

CVSS3: 5.9
github
около 1 месяца назад

ImageMagick's Security Policy Bypass through config/policy-secure.xml via "fd handler" leads to stdin/stdout access

suse-cvrf логотип

SUSE-SU-2026:0854-1

suse-cvrf
19 дней назад

Security update for ImageMagick

EPSS

Процентиль: 2%
0.00013
Низкий

5.9 Medium

CVSS3

7.8 High

CVSS3

Дефекты

CWE-284
NVD-CWE-noinfo