An attacker can inject arbitrary MVG (Magick Vector Graphics) drawing commands in an SVG file that is read by the internal SVG decoder of ImageMagick. The injected MVG commands execute during rendering.
{
"nvd_published_at": null,
"severity": "LOW",
"github_reviewed_at": "2026-02-25T19:12:48Z",
"cwe_ids": [
"CWE-116",
"CWE-77"
],
"github_reviewed": true
}