Arbitrary code execution via SVG decoder command injection
Summary
ImageMagick before 7.1.2-15 and 6.9.13-40 contains a command injection vulnerability in the SVG decoder that allows attackers to inject arbitrary MVG drawing commands. Attackers can craft malicious SVG files with injected Magick Vector Graphics commands that execute during rendering. A flaw was found in ImageMagick. This command injection vulnerability in the SVG (Scalable Vector Graphics) decoder allows a remote attacker to craft malicious SVG files. When these files are processed, the injected Magick Vector Graphics (MVG) commands can execute, potentially leading to arbitrary code execution on the affected system. An Important-rated vulnerability in the default configuration of Mojolicious::Plugin::Web::Auth::OAuth2 allows remote attackers to hijack user sessions. Because the plugin defaults to generating predictable security tokens, an attacker can bypass protections and launch Cross-Site Request Forgery (CSRF) attacks against the application. Red Hat severity: Important — CVSS 8.1 (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H). Weakness: CWE-78. Fixed by RHSA-2026:32961 — update the affected packages (`sudo dnf update`). Affected Red Hat products: Red Hat Enterprise Linux 7 Extended Lifecycle Support. Will not fix / out of support: Red Hat Enterprise Linux 6.
- ImageMagick-0:6.9.10.68-17.el7_9
Official advisory · high-confidence parse· fetched 5 hours ago·verify at source
- ImageMagick-0:6.9.10.68-17.el7_9
- RHSA-2026:32961
Official advisory · high-confidence parse· fetched 5 hours ago·verify at source
Mitigation checklist
- Restrict ImageMagick processing capabilities via policy.xml, disabling the SVG coder and restricting delegates to prevent injection escalation to OS command execution. Enforce mandatory access control (SELinux/AppArmor) combined with seccomp syscall filtering to block execve. For systemd services, enable NoNewPrivileges, ProtectSystem=strict, ProtectHome=true, and PrivateDevices=true.
Official advisory · high-confidence parse· fetched 5 hours ago·verify at source
Discussion(0)
No comments yet. Share field notes, upgrade gotchas, or questions — verify against the vendor advisory before acting on community advice.
Sign in to join the discussion.