{"document":{"category":"csaf_vex","csaf_version":"2.0","title":"CVE-2026-56379: ImageMagick - Command Injection via SVG Decoder","publisher":{"category":"vendor","name":"HarborGuard Database","namespace":"https://database.harborguard.co"},"tracking":{"id":"CVE-2026-56379","status":"final","version":"1","initial_release_date":"2026-06-23T12:13:05.492Z","current_release_date":"2026-07-02T14:07:01.497Z","revision_history":[{"date":"2026-06-23T12:13:05.492Z","number":"1","summary":"Initial machine-readable export from HarborGuard."}]},"distribution":{"tlp":{"label":"WHITE"},"text":"Public CVE data; freely redistributable."},"notes":[{"category":"description","text":"ImageMagick before 7.1.2-15 and 6.9.13-40 contains a command injection vulnerability in the SVG decoder that allows attackers to inject arbitrary MVG drawing commands. Attackers can craft malicious SVG files with injected Magick Vector Graphics commands that execute during rendering.","title":"CVE description"}],"references":[{"category":"self","summary":"CVE-2026-56379 on HarborGuard Database","url":"https://database.harborguard.co/cve/CVE-2026-56379"},{"category":"external","summary":"CVE Record","url":"https://www.cve.org/CVERecord?id=CVE-2026-56379"},{"category":"external","summary":"GitHub Security Advisory (GHSA-xpg8-7m6m-jf56)","url":"https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-xpg8-7m6m-jf56"},{"category":"external","summary":"VulnCheck Advisory: ImageMagick - Command Injection via SVG Decoder","url":"https://www.vulncheck.com/advisories/imagemagick-command-injection-via-svg-decoder"}]},"product_tree":{"branches":[{"category":"vendor","name":"ImageMagick","branches":[{"category":"product_name","name":"ImageMagick","branches":[{"category":"product_version_range","name":"<7.1.2-15","product":{"name":"ImageMagick ImageMagick <7.1.2-15","product_id":"CSAFPID-1","product_identification_helper":{"cpe":"cpe:2.3:a:imagemagick:imagemagick:*:*:*:*:*:*:*:*"}}},{"category":"product_version","name":"7.1.2-15","product":{"name":"ImageMagick ImageMagick 7.1.2-15","product_id":"CSAFPID-2","product_identification_helper":{"cpe":"cpe:2.3:a:imagemagick:imagemagick:*:*:*:*:*:*:*:*"}}}]}]},{"category":"vendor","name":"ImageMagick","branches":[{"category":"product_name","name":"ImageMagick","branches":[{"category":"product_version_range","name":"<6.9.13-40","product":{"name":"ImageMagick ImageMagick <6.9.13-40","product_id":"CSAFPID-3","product_identification_helper":{"cpe":"cpe:2.3:a:imagemagick:imagemagick:*:*:*:*:*:*:*:*"}}},{"category":"product_version","name":"6.9.13-40","product":{"name":"ImageMagick ImageMagick 6.9.13-40","product_id":"CSAFPID-4","product_identification_helper":{"cpe":"cpe:2.3:a:imagemagick:imagemagick:*:*:*:*:*:*:*:*"}}}]}]}]},"vulnerabilities":[{"cve":"CVE-2026-56379","title":"ImageMagick - Command Injection via SVG Decoder","notes":[{"category":"description","text":"ImageMagick before 7.1.2-15 and 6.9.13-40 contains a command injection vulnerability in the SVG decoder that allows attackers to inject arbitrary MVG drawing commands. Attackers can craft malicious SVG files with injected Magick Vector Graphics commands that execute during rendering.","title":"CVE description"}],"product_status":{"known_affected":["CSAFPID-1","CSAFPID-3"],"fixed":["CSAFPID-2","CSAFPID-4"]},"scores":[{"cvss_v4":{"version":"4.0","vectorString":"CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N","baseScore":9.2,"baseSeverity":"CRITICAL"},"products":["CSAFPID-1","CSAFPID-3"]}],"remediations":[{"category":"vendor_fix","details":"Update to a fixed version: 6.9.13-40, 7.1.2-15.","product_ids":["CSAFPID-1","CSAFPID-3"]}]}]}