ImageMagick: Policy Bypass in PSD decoder — CVE-2026-45031

GitHub · GitHub · CVE-2026-45031

ID
CVE-2026-45031

Date
2026-05-18

Activity
2026-05-18

Source
GitHub

Vendor
GitHub

Threat
medium

CVSS
5.3

Summary

Due to a missing check in the PSD decoder it would be possible to bypass the `list-length` resource policy when decoding a PSD image. Other security limits would still apply.

Product

nuget: Magick.NET-Q16-AnyCPU | nuget: Magick.NET-Q16-HDRI-AnyCPU | nuget: Magick.NET-Q16-HDRI-OpenMP-arm64 | nuget: Magick.NET-Q16-HDRI-OpenMP-x64 | nuget: Magick.NET-Q16-HDRI-arm64 | nuget: Magick.NET-Q16-HDRI-x64 | nuget: Magick.NET-Q16-HDRI-x86 | nuget: Magick.NET-Q16-OpenMP-arm64 | +10

What to do

General, cautious steps (verify details in the official source):

Review exposure and plan remediation based on risk and environment.
Identify affected product versions in your inventory and verify whether you are impacted.
Apply vendor patches/updates or recommended mitigations as soon as available.
Read the official advisory for exact affected versions and remediation steps.

Official advisory

Related advisories

GitHub GitHub 2026-W21

File Browser has a Command Execution Allowlist Bypass via Shell Metacharacter Injection

2026-06-13 CVE-2026-54090

highGitHub GitHub 2026-W24

ConnectBot SSH Client Library: Excessive allocation and integer overflow in DER private-key parsing

2026-06-12 GHSA-VC8P-8PXG-RFWG

mediumGitHub GitHub 2026-W24

ConnectBot SSH Client Library: Unbounded SSH field lengths can cause excessive memory allocation

2026-06-12 GHSA-CH3Q-CW5R-F4HG

mediumGitHub GitHub 2026-W24

File Browser has a DoS Vulnerability via Public Login API

2026-06-12 CVE-2026-54092

highGitHub GitHub 2026-W24

File Browser has incorrect access control for public directory shares via rule path rebasing

2026-06-12 CVE-2026-54091

highGitHub GitHub 2026-W24

File Browser: Cross-user unauthorized share-link deletion via unbounded prefix match in DeleteWithPathPrefix

2026-06-12 CVE-2026-54097

highGitHub GitHub 2026-W24