Primary

Context

ImageMagick PostScript and HTML Code Injection Vulnerability

Vulnerability

Patched

A code injection vulnerability has been identified in ImageMagick versions prior to 7.1.2-15 and 6.9.13-40. The issue arises in the PostScript coders, which fail to properly sanitize input before writing it into the PostScript header. This allows an attacker to inject arbitrary PostScript code into a file. When this file is processed by a printer or a viewer like Ghostscript, the injected code is executed. Additionally, the HTML encoder in these versions does not correctly escape strings written to the HTML document, enabling the injection of arbitrary HTML code.

Impact

Exploitation of this vulnerability allows for arbitrary code execution through injected PostScript or HTML, depending on the encoding used.

Remediation

Users can upgrade to ImageMagick versions 7.1.2-15 or 6.9.13-40, where this vulnerability has been patched.

Added: Feb 24, 2026, 1:44 AM

Updated: Feb 24, 2026, 1:44 AM

Vulnerability Rating

Custom Algorithm

spread

7.8

impact

2.5

exploitability

4.3

remediation

7.7

relevance

3.1

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

7.8

impact

2.5

exploitability

4.3

remediation

7.7

relevance

3.1

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

ImageMagick PostScript and HTML Code Injection Vulnerability

Vulnerability

Impact

Remediation

Affected Products

ImageMagick

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating