CVE-2026-25797 in ImageMagickinfo

Summary

by MITRE • 02/24/2026

ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-15 and 6.9.13-40, the ps coders, responsible for writing PostScript files, fails to sanitize the input before writing it into the PostScript header. An attacker can provide a malicous file and inject arbitrary PostScript code. When the resulting file is processed by a printer or a viewer (like Ghostscript), the injected code is interpreted and executed. The html encoder does not properly escape strings that are written to in the html document. An attacker can provide a malicious file and injection arbitrary html code. Versions 7.1.2-15 and 6.9.13-40 contain a patch.

Once again VulDB remains the best source for vulnerability data.

Analysis

by VulDB Data Team • 04/21/2026

ImageMagick represents a widely deployed image processing library that handles numerous file formats including PostScript and HTML document generation. The vulnerability described in CVE-2026-25797 demonstrates a critical flaw in input sanitization mechanisms within the ps coders component, which processes PostScript file formats. This weakness exists in versions prior to 7.1.2-15 and 6.9.13-40, creating a significant security risk for systems that process untrusted image files. The vulnerability stems from insufficient validation of user-supplied input before it is written into PostScript file headers, allowing attackers to inject malicious PostScript code that can execute arbitrary commands when processed by compatible viewers or printers.

The technical implementation of this vulnerability involves the ps coders failing to properly sanitize data before insertion into PostScript headers, creating a path for code injection attacks. When malicious input is processed, it gets embedded directly into the PostScript file structure without adequate escaping or validation. This flaw specifically affects the html encoder component which also suffers from improper string escaping when generating HTML documents. The combination of these two vulnerabilities creates a multi-vector attack surface where an attacker can compromise systems through either PostScript or HTML code injection. The vulnerability aligns with CWE-74, which describes improper neutralization of special elements in output data, and CWE-94, covering improper control of generation of code, both of which are fundamental to code injection attacks.

The operational impact of this vulnerability extends beyond simple code execution, as it enables attackers to leverage the PostScript and HTML processing capabilities of ImageMagick to gain unauthorized access to systems. When processed by printers or viewers like Ghostscript, the injected PostScript code can execute arbitrary commands on the host system, potentially leading to privilege escalation or remote code execution. The HTML injection aspect further compounds the risk by allowing attackers to inject malicious content into web applications that utilize ImageMagick for HTML document generation. This creates a potential attack vector for cross-site scripting (XSS) and other web-based attacks, particularly in environments where ImageMagick is used to process user-uploaded content. The vulnerability represents a significant concern for organizations that rely on ImageMagick for image processing tasks, especially in web applications, document management systems, and automated image processing pipelines.

The recommended mitigation strategy involves immediate deployment of patched versions 7.1.2-15 and 6.9.13-40, which contain the necessary fixes for both the PostScript and HTML encoding vulnerabilities. Organizations should also implement additional protective measures including input validation and sanitization of all user-supplied files before processing, deployment of network segmentation to limit access to ImageMagick processing components, and regular security assessments of systems that utilize the library. The ATT&CK framework categorizes this vulnerability under T1059 for command and scripting interpreter and T1203 for Exploitation for Client Execution, highlighting the execution-based attack vectors that this vulnerability enables. Security teams should also consider implementing application whitelisting policies and monitoring for unusual PostScript or HTML file processing activities, particularly in environments where ImageMagick is used to process untrusted content. Organizations should conduct comprehensive vulnerability assessments to identify any systems still running vulnerable versions of ImageMagick and ensure that all processing pipelines include proper input validation mechanisms to prevent similar issues in other components.

Responsible

GitHub M

Reservation

02/05/2026

Disclosure

02/24/2026

Moderation

accepted

CPE

ready

EPSS

0.00161

KEV

no

Activities

very low

Sources

Interested in the pricing of exploits?

See the underground prices here!