CVE-2026-49219

Vulnerability

ImageMagick, a digital image editing software, is vulnerable to a policy bypass due to incorrect filename parsing. This flaw allows an attacker to read files that are disallowed by the security policy by leveraging a symbolic link. This vulnerability affects versions prior to 6.9.13-48 and 7.1.2-24 [1].

Exploitation

An attacker can exploit this vulnerability by crafting a filename that, when processed by ImageMagick, bypasses security policies through the use of a symbolic link. No specific privileges or user interaction are mentioned as requirements for exploitation in the available references [1].

Impact

Successful exploitation of this vulnerability allows an attacker to read files that are otherwise protected by ImageMagick's security policy. This results in a loss of confidentiality, as sensitive or disallowed files can be accessed by an unauthorized user [1].

Mitigation

This vulnerability has been patched in ImageMagick versions 6.9.13-48 and 7.1.2-24. Users are advised to update to these fixed versions or later to mitigate the risk [1].