CVE-2026-25797
Received Received - Intake
PostScript and HTML Injection in ImageMagick Enables Code Execution

Publication date: 2026-02-24

Last updated on: 2026-02-25

Assigner: GitHub, Inc.

Description
ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-15 and 6.9.13-40, the ps coders, responsible for writing PostScript files, fails to sanitize the input before writing it into the PostScript header. An attacker can provide a malicous file and inject arbitrary PostScript code. When the resulting file is processed by a printer or a viewer (like Ghostscript), the injected code is interpreted and executed. The html encoder does not properly escape strings that are written to in the html document. An attacker can provide a malicious file and injection arbitrary html code. Versions 7.1.2-15 and 6.9.13-40 contain a patch.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-24
Last Modified
2026-02-25
Generated
2026-06-16
AI Q&A
2026-02-24
EPSS Evaluated
2026-06-15
NVD
CVE-2026-25797
EUVD
EUVD-2026-7445
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
imagemagick imagemagick to 6.9.13-40 (exc)
imagemagick imagemagick From 7.0.0-0 (inc) to 7.1.2-15 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-25797 is a moderate severity code injection vulnerability in ImageMagick versions prior to 7.1.2-15 and 6.9.13-40.

The vulnerability occurs because the PostScript (ps) encoders do not properly sanitize input before embedding it into the PostScript header. This allows an attacker to supply a malicious file containing arbitrary PostScript code that gets injected into the output file.

When the resulting file is processed by a printer or viewer such as Ghostscript, the injected PostScript code is executed, potentially compromising the system.

Additionally, the HTML encoder in ImageMagick does not correctly escape strings written into HTML documents, enabling an attacker to inject arbitrary HTML code.

Impact Analysis

This vulnerability can lead to the execution of arbitrary PostScript code when a maliciously crafted file is processed by a printer or viewer like Ghostscript.

The impact includes potential compromise of system integrity and availability, as indicated by the CVSS metrics showing low integrity and availability impacts.

Since the attack vector is local and requires no privileges or user interaction, an attacker with local access can exploit this vulnerability to inject code.

Compliance Impact

I don't know

Detection Guidance

I don't know

Mitigation Strategies

To mitigate this vulnerability, you should update ImageMagick to versions 7.1.2-15 or 6.9.13-40 or later, which contain patches addressing the issue.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-25797. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart