| Name | CVE-2026-56379 |
| Description | ImageMagick before 7.1.2-15 and 6.9.13-40 contains a command injection vulnerability in the SVG decoder that allows attackers to inject arbitrary MVG drawing commands. Attackers can craft malicious SVG files with injected Magick Vector Graphics commands that execute during rendering. |
| Source | CVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
The table below lists information on source packages.
| Source Package | Release | Version | Status |
|---|---|---|---|
| imagemagick (PTS) | bullseye | 8:6.9.11.60+dfsg-1.3+deb11u4 | vulnerable |
| bullseye (security) | 8:6.9.11.60+dfsg-1.3+deb11u14 | vulnerable | |
| bookworm | 8:6.9.11.60+dfsg-1.6+deb12u9 | vulnerable | |
| bookworm (security) | 8:6.9.11.60+dfsg-1.6+deb12u11 | vulnerable | |
| trixie | 8:7.1.1.43+dfsg1-1+deb13u8 | vulnerable | |
| trixie (security) | 8:7.1.1.43+dfsg1-1+deb13u10 | vulnerable | |
| forky | 8:7.1.2.24+dfsg1-1 | fixed | |
| sid | 8:7.1.2.25+dfsg1-2 | fixed |
The information below is based on the following data on fixed versions.
| Package | Type | Release | Fixed Version | Urgency | Origin | Debian Bugs |
|---|---|---|---|---|---|---|
| imagemagick | source | (unstable) | 8:7.1.2.15+dfsg1-1 |
[trixie] - imagemagick <no-dsa> (Minor issue)
https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-xpg8-7m6m-jf56
Fixed by: https://github.com/ImageMagick/ImageMagick/commit/f63c78b3828933f1cc7cf499390248981af765aa (7.1.2-14)
Fixed by: https://github.com/ImageMagick/ImageMagick/commit/9db96365ecab5de69cdec81b9359672b3a827aaa (7.1.2-14)
Fixed by: https://github.com/ImageMagick/ImageMagick6/commit/4b7a043eb0fdf233ea9ecf237bcb009c16a354cd (6.9.13-39)
Fixed by: https://github.com/ImageMagick/ImageMagick6/commit/b4a7adf48e723ab73d2337ada34ee0fee7337250 (6.9.13-39)