Symlink Attack Affecting magick.net-q16-openmp-x64 package, versions [0,]


Severity

Recommended
0.0
medium
0
10

CVSS assessment by Snyk's Security Team. Learn more

Threat Intelligence

EPSS
0.25% (16th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-DOTNET-MAGICKNETQ16OPENMPX64-17954613
  • published12 Jul 2026
  • disclosed11 Jul 2026
  • creditrexpository

Introduced: 11 Jul 2026

NewCVE-2026-61858  (opens in a new tab)
CWE-59  (opens in a new tab)

How to fix?

A fix was pushed into the master branch but not yet published.

Overview

Magick.NET-Q16-OpenMP-x64 is a Magick.NET allows you can use ImageMagick without having to install ImageMagick on your server or desktop.

More information about specific builds see the [official docs] (https://github.com/dlemstra/Magick.NET/tree/main/docs)

Affected versions of this package are vulnerable to Symlink Attack through the CopyDelegateFile path in the VIDEO/APNG delegate code. An attacker can write output to a disallowed path by supplying a delegate-driven image write that copies a generated file to a destination the policy should forbid. The vulnerable code in MagickCore/video.c copies delegate output to image->filename without checking whether that destination is authorized for write access. In a policy-restricted deployment, this lets an untrusted image operation place files outside the allowed output locations, causing unauthorized file writes on the host.

CVSS Base Scores

version 4.0
version 3.1