VulnerableCode Vulnerability Details - VCID-jrwg-mmqw-3bcg

Staging Environment: Content and features may be unstable or change without notice.

Search for vulnerabilities

Vulnerability details: VCID-jrwg-mmqw-3bcg

Essentials
Severities (3)
References (6)
Severity details (2)
Exploits (0)
EPSS
History (1)

Vulnerability ID	VCID-jrwg-mmqw-3bcg
Aliases	CVE-2026-25965 GHSA-8jvj-p28h-9gm7
Summary	ImageMagick: Policy bypass through path traversal allows reading restricted content despite secured policy ImageMagick’s path security policy is enforced on the raw filename string before the filesystem resolves it. As a result, a policy rule such as /etc/* can be bypassed by a path traversal. The OS resolves the traversal and opens the sensitive file, but the policy matcher only sees the unnormalized path and therefore allows the read. This enables local file disclosure (LFI) even when policy-secure.xml is applied. Actions to prevent reading from files have been taken. But it make sure writing is also not possible the following should be added to your policy: ``` <policy domain="path" rights="none" pattern="../"/> ``` And this will also be included in the project's more secure policies by default.
Status	Published
Exploitability	None
Weighted Severity	None
Risk	None
Affected and Fixed Packages	Package Details

Weaknesses (3)

CWE-22	Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CWE-937	OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-1035	OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities

System	Score	Found at
epss	0.00018	https://api.first.org/data/v1/epss?cve=CVE-2026-25965
cvssv3.1_qr	HIGH	https://github.com/advisories/GHSA-8jvj-p28h-9gm7
cvssv3.1_qr	HIGH	https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-8jvj-p28h-9gm7

Reference id	Reference type	URL
		https://api.first.org/data/v1/epss?cve=CVE-2026-25965
		https://github.com/dlemstra/Magick.NET/releases/tag/14.10.3
		https://github.com/ImageMagick/ImageMagick
CVE-2026-25965		https://nvd.nist.gov/vuln/detail/CVE-2026-25965
GHSA-8jvj-p28h-9gm7		https://github.com/advisories/GHSA-8jvj-p28h-9gm7
GHSA-8jvj-p28h-9gm7		https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-8jvj-p28h-9gm7

No exploits are available.

Exploit Prediction Scoring System (EPSS)

Percentile	0.05296
EPSS Score	0.00018
Published At	May 30, 2026, 12:55 p.m.

Date	Actor	Action	Source	VulnerableCode Version
2026-05-30T21:06:49.075791+00:00	GitLab Importer	Import	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/nuget/Magick.NET-Q8-x86/CVE-2026-25965.yml	38.6.0