CVE-2026-33899

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2026-33899
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-33899.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2026-33899
Aliases
Downstream
Related
Published
2026-04-13T20:46:43.781Z
Modified
2026-05-23T22:36:10.503181Z
Severity
  • 5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L CVSS Calculator
Summary
ImageMagick: Heap BufferOverflow write of single zero byte when parsing XML
Details

ImageMagick is free and open-source software used for editing and manipulating digital images. In versions below 7.1.2-189 and 6.9.13-44, when Magick parses an XML file it is possible that a single zero byte is written out of the bounds. This issue has been fixed in versions 6.9.13-44 and 7.1.2-19.

Database specific 
{
    "cna_assigner": "GitHub_M",
    "unresolved_ranges": [
        {
            "source": "AFFECTED_FIELD",
            "extracted_events": [
                {
                    "fixed": "6.9.13-44"
                }
            ]
        }
    ],
    "cwe_ids": [
        "CWE-122",
        "CWE-191"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/33xxx/CVE-2026-33899.json"
}
References

Affected packages

Git
github.com/dlemstra/magick.net

Affected ranges

Type
GIT
Repo
https://github.com/dlemstra/magick.net
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
158db3ad7f38ab3023f5dce59fb17a0f27a8cd43
Database specific 
{
    "source": "REFERENCES"
}

Affected versions

10.*
10.0.0
10.1.0
11.*
11.0.0
11.1.0
11.1.1
11.1.2
11.2.0
11.2.1
11.3.0
12.*
12.0.0
12.0.1
12.1.0
12.2.0
12.2.1
12.2.2
12.3.0
13.*
13.0.0
13.0.1
13.1.0
13.1.1
13.1.2
13.1.3
13.10.0
13.2.0
13.3.0
13.4.0
13.5.0
13.6.0
13.7.0
13.8.0
13.9.0
13.9.1
14.*
14.0.0
14.1.0
14.10.0
14.10.1
14.10.2
14.10.3
14.10.4
14.11.0
14.11.1
14.2.0
14.3.0
14.4.0
14.5.0
14.6.0
14.7.0
14.8.0
14.8.1
14.8.2
14.9.0
14.9.1
6.*
6.8.5.1001
6.8.5.401
6.8.5.402
6.8.6.301
6.8.6.601
6.8.6.801
6.8.7.1
6.8.7.101
6.8.7.501
6.8.7.502
6.8.7.901
6.8.8.1001
6.8.8.201
6.8.8.501
6.8.8.701
6.8.8.801
6.8.8.901
6.8.9.1
6.8.9.101
6.8.9.2
6.8.9.401
6.8.9.501
6.8.9.601
7.*
7.0.0.1
7.0.0.10
7.0.0.101
7.0.0.102
7.0.0.103
7.0.0.104
7.0.0.11
7.0.0.12
7.0.0.13
7.0.0.14
7.0.0.15
7.0.0.16
7.0.0.17
7.0.0.18
7.0.0.19
7.0.0.2
7.0.0.20
7.0.0.21
7.0.0.22
7.0.0.3
7.0.0.5
7.0.0.6
7.0.0.7
7.0.0.8
7.0.0.9
7.0.1.0
7.0.1.100
7.0.1.101
7.0.1.500
7.0.2.100
7.0.2.400
7.0.2.600
7.0.2.900
7.0.2.901
7.0.2.902
7.0.3.0
7.0.3.1
7.0.3.300
7.0.3.500
7.0.3.501
7.0.3.502
7.0.3.901
7.0.3.902
7.0.4.100
7.0.4.400
7.0.4.700
7.0.4.701
7.0.5.500
7.0.5.501
7.0.5.502
7.0.5.800
7.0.5.900
7.0.6.0
7.0.6.100
7.0.6.1000
7.0.6.1001
7.0.6.1002
7.0.6.101
7.0.6.102
7.0.6.600
7.0.6.601
7.0.7.0
7.0.7.300
7.0.7.700
7.0.7.900
7.1.0.0
7.10.0.0
7.10.1.0
7.10.2.0
7.11.0.0
7.11.1.0
7.12.0.0
7.13.0.0
7.13.1.0
7.14.0.0
7.14.0.1
7.14.0.2
7.14.0.3
7.14.1.0
7.14.2.0
7.14.3.0
7.14.4.0
7.14.5.0
7.15.0.0
7.15.0.1
7.15.1.0
7.15.2.0
7.15.3.0
7.15.4.0
7.15.5.0
7.16.0.0
7.16.1.0
7.17.0.0
7.17.0.1
7.18.0.0
7.19.0.0
7.19.0.1
7.2.0.0
7.2.1.0
7.20.0.0
7.20.0.1
7.21.0.0
7.21.1.0
7.22.0.0
7.22.1.0
7.22.2.0
7.22.2.1
7.22.2.2
7.22.3.0
7.23.0.0
7.23.1.0
7.23.2.0
7.23.2.1
7.23.3.0
7.23.4.0
7.24.0.0
7.24.1.0
7.3.0.0
7.4.0.0
7.4.1.0
7.4.2.0
7.4.3.0
7.4.4.0
7.4.5.0
7.4.6.0
7.5.0.0
7.5.0.1
7.6.0.0
7.6.0.1
7.7.0.0
7.8.0.0
7.9.0.0
7.9.0.1
7.9.0.2
7.9.1.0
7.9.2.0
8.*
8.0.0
8.0.1
8.1.0
8.2.0
8.2.1
8.3.0
8.3.1
8.3.2
8.3.3
8.4.0
8.5.0
8.6.0
8.6.1
9.*
9.0.0
9.1.0
9.1.1
9.1.2

Database specific

source 
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-33899.json"
github.com/imagemagick/imagemagick

Affected ranges

Type
GIT
Repo
https://github.com/imagemagick/imagemagick
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
9fbd2b79450e930edb95e8158d412e57a7b27e83
Fixed
ae679e2fd19ec656bfab9f822ae4cf06bf91604d
Database specific 
{
    "source": [
        "CPE_FIELD",
        "REFERENCES"
    ],
    "cpe": "cpe:2.3:a:imagemagick:imagemagick:*:*:*:*:*:*:*:*",
    "extracted_events": [
        {
            "introduced": "7.0.0-0"
        },
        {
            "fixed": "7.1.2-19"
        }
    ]
}

Affected versions

7.*
7.0.1-0
7.0.1-1
7.0.1-10
7.0.1-2
7.0.1-3
7.0.1-4
7.0.1-5
7.0.1-6
7.0.1-7
7.0.1-8
7.0.1-9
7.0.10-0
7.0.10-1
7.0.10-10
7.0.10-11
7.0.10-12
7.0.10-13
7.0.10-14
7.0.10-15
7.0.10-16
7.0.10-17
7.0.10-18
7.0.10-19
7.0.10-2
7.0.10-20
7.0.10-21
7.0.10-22
7.0.10-23
7.0.10-24
7.0.10-25
7.0.10-26
7.0.10-27
7.0.10-28
7.0.10-29
7.0.10-3
7.0.10-30
7.0.10-31
7.0.10-32
7.0.10-33
7.0.10-34
7.0.10-35
7.0.10-36
7.0.10-37
7.0.10-38
7.0.10-39
7.0.10-4
7.0.10-40
7.0.10-41
7.0.10-42
7.0.10-43
7.0.10-44
7.0.10-45
7.0.10-46
7.0.10-47
7.0.10-48
7.0.10-49
7.0.10-5
7.0.10-50
7.0.10-51
7.0.10-52
7.0.10-53
7.0.10-54
7.0.10-55
7.0.10-56
7.0.10-57
7.0.10-58
7.0.10-59
7.0.10-6
7.0.10-60
7.0.10-61
7.0.10-62
7.0.10-7
7.0.10-8
7.0.10-9
7.0.11-0
7.0.11-1
7.0.11-10
7.0.11-11
7.0.11-12
7.0.11-13
7.0.11-14
7.0.11-2
7.0.11-3
7.0.11-4
7.0.11-5
7.0.11-6
7.0.11-7
7.0.11-8
7.0.11-9
7.0.2-0
7.0.2-1
7.0.2-10
7.0.2-2
7.0.2-3
7.0.2-4
7.0.2-5
7.0.2-6
7.0.2-7
7.0.2-8
7.0.2-9
7.0.3-0
7.0.3-1
7.0.3-10
7.0.3-2
7.0.3-3
7.0.3-4
7.0.3-5
7.0.3-6
7.0.3-7
7.0.3-8
7.0.3-9
7.0.4-0
7.0.4-1
7.0.4-10
7.0.4-2
7.0.4-3
7.0.4-4
7.0.4-5
7.0.4-6
7.0.4-7
7.0.4-8
7.0.4-9
7.0.5-0
7.0.5-1
7.0.5-10
7.0.5-2
7.0.5-3
7.0.5-4
7.0.5-5
7.0.5-6
7.0.5-7
7.0.5-8
7.0.5-9
7.0.6-0
7.0.6-1
7.0.6-2
7.0.6-3
7.0.6-4
7.0.6-5
7.0.6-6
7.0.6-7
7.0.6-8
7.0.6-9
7.0.7-0
7.0.7-1
7.0.7-10
7.0.7-11
7.0.7-12
7.0.7-13
7.0.7-14
7.0.7-15
7.0.7-16
7.0.7-17
7.0.7-18
7.0.7-19
7.0.7-2
7.0.7-20
7.0.7-21
7.0.7-22
7.0.7-23
7.0.7-24
7.0.7-25
7.0.7-26
7.0.7-27
7.0.7-28
7.0.7-29
7.0.7-3
7.0.7-30
7.0.7-31
7.0.7-32
7.0.7-33
7.0.7-34
7.0.7-35
7.0.7-36
7.0.7-37
7.0.7-38
7.0.7-39
7.0.7-4
7.0.7-5
7.0.7-6
7.0.7-8
7.0.7-9
7.0.7.7
7.0.8-0
7.0.8-1
7.0.8-10
7.0.8-11
7.0.8-12
7.0.8-13
7.0.8-14
7.0.8-15
7.0.8-16
7.0.8-17
7.0.8-18
7.0.8-19
7.0.8-2
7.0.8-20
7.0.8-21
7.0.8-22
7.0.8-23
7.0.8-24
7.0.8-25
7.0.8-26
7.0.8-27
7.0.8-28
7.0.8-29
7.0.8-3
7.0.8-30
7.0.8-31
7.0.8-32
7.0.8-33
7.0.8-34
7.0.8-35
7.0.8-36
7.0.8-37
7.0.8-38
7.0.8-39
7.0.8-4
7.0.8-40
7.0.8-41
7.0.8-42
7.0.8-43
7.0.8-44
7.0.8-45
7.0.8-46
7.0.8-47
7.0.8-48
7.0.8-49
7.0.8-5
7.0.8-50
7.0.8-51
7.0.8-52
7.0.8-53
7.0.8-54
7.0.8-55
7.0.8-56
7.0.8-57
7.0.8-58
7.0.8-59
7.0.8-6
7.0.8-60
7.0.8-61
7.0.8-62
7.0.8-63
7.0.8-64
7.0.8-65
7.0.8-66
7.0.8-67
7.0.8-68
7.0.8-7
7.0.8-8
7.0.8-9
7.0.9-0
7.0.9-1
7.0.9-10
7.0.9-11
7.0.9-12
7.0.9-13
7.0.9-14
7.0.9-15
7.0.9-16
7.0.9-17
7.0.9-18
7.0.9-19
7.0.9-2
7.0.9-20
7.0.9-21
7.0.9-22
7.0.9-23
7.0.9-24
7.0.9-25
7.0.9-26
7.0.9-27
7.0.9-4
7.0.9-5
7.0.9-6
7.0.9-7
7.0.9-8
7.0.9-9
7.1.0-0
7.1.0-1
7.1.0-10
7.1.0-11
7.1.0-12
7.1.0-13
7.1.0-14
7.1.0-15
7.1.0-16
7.1.0-17
7.1.0-18
7.1.0-19
7.1.0-2
7.1.0-20
7.1.0-21
7.1.0-22
7.1.0-23
7.1.0-24
7.1.0-25
7.1.0-26
7.1.0-27
7.1.0-28
7.1.0-29
7.1.0-3
7.1.0-30
7.1.0-31
7.1.0-32
7.1.0-33
7.1.0-34
7.1.0-35
7.1.0-36
7.1.0-37
7.1.0-38
7.1.0-39
7.1.0-4
7.1.0-40
7.1.0-41
7.1.0-42
7.1.0-43
7.1.0-44
7.1.0-45
7.1.0-46
7.1.0-47
7.1.0-48
7.1.0-49
7.1.0-5
7.1.0-50
7.1.0-51
7.1.0-52
7.1.0-53
7.1.0-54
7.1.0-55
7.1.0-56
7.1.0-57
7.1.0-58
7.1.0-59
7.1.0-6
7.1.0-60
7.1.0-61
7.1.0-62
7.1.0-7
7.1.0-8
7.1.0-9
7.1.1-0
7.1.1-1
7.1.1-10
7.1.1-11
7.1.1-12
7.1.1-13
7.1.1-14
7.1.1-15
7.1.1-16
7.1.1-17
7.1.1-18
7.1.1-19
7.1.1-2
7.1.1-20
7.1.1-21
7.1.1-22
7.1.1-23
7.1.1-24
7.1.1-25
7.1.1-26
7.1.1-27
7.1.1-28
7.1.1-29
7.1.1-3
7.1.1-30
7.1.1-31
7.1.1-32
7.1.1-33
7.1.1-34
7.1.1-35
7.1.1-36
7.1.1-37
7.1.1-38
7.1.1-39
7.1.1-4
7.1.1-40
7.1.1-41
7.1.1-43
7.1.1-44
7.1.1-45
7.1.1-46
7.1.1-47
7.1.1-5
7.1.1-6
7.1.1-7
7.1.1-8
7.1.1-9
7.1.2-0
7.1.2-1
7.1.2-10
7.1.2-11
7.1.2-12
7.1.2-13
7.1.2-14
7.1.2-15
7.1.2-16
7.1.2-17
7.1.2-18
7.1.2-2
7.1.2-3
7.1.2-5
7.1.2-6
7.1.2-7
7.1.2-8
7.1.2-9

Database specific

vanir_signatures 
[
    {
        "id": "CVE-2026-33899-21928028",
        "target": {
            "function": "NewXMLTree",
            "file": "MagickCore/xml-tree.c"
        },
        "source": "https://github.com/imagemagick/imagemagick/commit/ae679e2fd19ec656bfab9f822ae4cf06bf91604d",
        "signature_version": "v1",
        "signature_type": "Function",
        "deprecated": false,
        "digest": {
            "function_hash": "186626242243733938443234196539701591206",
            "length": 8147.0
        }
    },
    {
        "id": "CVE-2026-33899-d15f4f63",
        "target": {
            "file": "MagickCore/xml-tree.c"
        },
        "source": "https://github.com/imagemagick/imagemagick/commit/ae679e2fd19ec656bfab9f822ae4cf06bf91604d",
        "signature_version": "v1",
        "signature_type": "Line",
        "deprecated": false,
        "digest": {
            "line_hashes": [
                "247235590413133568162882611792589076368",
                "299501954624098976382851058562861464457",
                "333180628468977636559830363735036278354",
                "97007678158249550757386346866419722246",
                "201058622412395706471457886891713455356"
            ],
            "threshold": 0.9
        }
    }
]
vanir_signatures_modified 
"2026-05-23T22:36:10Z"
source 
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-33899.json"
github.com/imagemagick/imagemagick6

Affected ranges

Type
GIT
Repo
https://github.com/imagemagick/imagemagick6
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
9da424baef0c23b1b05678b2c31102e35313adc5
Database specific 
{
    "source": "CPE_FIELD",
    "cpe": "cpe:2.3:a:imagemagick:imagemagick:*:*:*:*:*:*:*:*",
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "6.9.13-44"
        }
    ]
}

Affected versions

6.*
6.9.10-0
6.9.10-1
6.9.10-10
6.9.10-11
6.9.10-12
6.9.10-13
6.9.10-14
6.9.10-15
6.9.10-16
6.9.10-17
6.9.10-18
6.9.10-19
6.9.10-2
6.9.10-20
6.9.10-21
6.9.10-22
6.9.10-23
6.9.10-24
6.9.10-25
6.9.10-26
6.9.10-27
6.9.10-28
6.9.10-29
6.9.10-3
6.9.10-30
6.9.10-31
6.9.10-32
6.9.10-33
6.9.10-34
6.9.10-35
6.9.10-36
6.9.10-37
6.9.10-38
6.9.10-39
6.9.10-4
6.9.10-40
6.9.10-41
6.9.10-42
6.9.10-43
6.9.10-44
6.9.10-45
6.9.10-46
6.9.10-47
6.9.10-48
6.9.10-49
6.9.10-5
6.9.10-50
6.9.10-51
6.9.10-52
6.9.10-53
6.9.10-54
6.9.10-55
6.9.10-56
6.9.10-57
6.9.10-58
6.9.10-59
6.9.10-6
6.9.10-60
6.9.10-61
6.9.10-62
6.9.10-63
6.9.10-64
6.9.10-65
6.9.10-66
6.9.10-67
6.9.10-68
6.9.10-69
6.9.10-7
6.9.10-70
6.9.10-71
6.9.10-72
6.9.10-73
6.9.10-74
6.9.10-75
6.9.10-77
6.9.10-78
6.9.10-79
6.9.10-8
6.9.10-80
6.9.10-81
6.9.10-82
6.9.10-83
6.9.10-84
6.9.10-85
6.9.10-86
6.9.10-87
6.9.10-88
6.9.10-89
6.9.10-9
6.9.10-90
6.9.10-91
6.9.10-92
6.9.10-93
6.9.10-94
6.9.10-95
6.9.10-96
6.9.10-97
6.9.11-0
6.9.11-1
6.9.11-10
6.9.11-11
6.9.11-12
6.9.11-13
6.9.11-14
6.9.11-15
6.9.11-16
6.9.11-17
6.9.11-18
6.9.11-19
6.9.11-2
6.9.11-20
6.9.11-21
6.9.11-22
6.9.11-23
6.9.11-24
6.9.11-25
6.9.11-26
6.9.11-27
6.9.11-28
6.9.11-29
6.9.11-3
6.9.11-30
6.9.11-31
6.9.11-32
6.9.11-33
6.9.11-34
6.9.11-35
6.9.11-36
6.9.11-37
6.9.11-38
6.9.11-39
6.9.11-4
6.9.11-40
6.9.11-41
6.9.11-42
6.9.11-43
6.9.11-44
6.9.11-45
6.9.11-46
6.9.11-47
6.9.11-48
6.9.11-49
6.9.11-5
6.9.11-50
6.9.11-51
6.9.11-52
6.9.11-53
6.9.11-54
6.9.11-55
6.9.11-56
6.9.11-57
6.9.11-59
6.9.11-6
6.9.11-60
6.9.11-61
6.9.11-62
6.9.11-7
6.9.11-8
6.9.11-9
6.9.12-0
6.9.12-1
6.9.12-10
6.9.12-11
6.9.12-12
6.9.12-14
6.9.12-15
6.9.12-16
6.9.12-17
6.9.12-18
6.9.12-19
6.9.12-2
6.9.12-20
6.9.12-21
6.9.12-22
6.9.12-23
6.9.12-24
6.9.12-25
6.9.12-26
6.9.12-27
6.9.12-28
6.9.12-29
6.9.12-3
6.9.12-30
6.9.12-31
6.9.12-32
6.9.12-33
6.9.12-34
6.9.12-35
6.9.12-36
6.9.12-37
6.9.12-38
6.9.12-39
6.9.12-4
6.9.12-40
6.9.12-41
6.9.12-42
6.9.12-43
6.9.12-44
6.9.12-45
6.9.12-46
6.9.12-47
6.9.12-48
6.9.12-49
6.9.12-5
6.9.12-50
6.9.12-51
6.9.12-52
6.9.12-53
6.9.12-54
6.9.12-55
6.9.12-56
6.9.12-57
6.9.12-58
6.9.12-59
6.9.12-6
6.9.12-60
6.9.12-61
6.9.12-62
6.9.12-63
6.9.12-64
6.9.12-65
6.9.12-66
6.9.12-67
6.9.12-68
6.9.12-69
6.9.12-7
6.9.12-70
6.9.12-71
6.9.12-72
6.9.12-73
6.9.12-74
6.9.12-75
6.9.12-76
6.9.12-77
6.9.12-78
6.9.12-79
6.9.12-8
6.9.12-80
6.9.12-81
6.9.12-82
6.9.12-83
6.9.12-84
6.9.12-85
6.9.12-86
6.9.12-87
6.9.12-88
6.9.12-89
6.9.12-9
6.9.12-90
6.9.12-91
6.9.12-92
6.9.12-93
6.9.12-94
6.9.12-95
6.9.12-96
6.9.12-97
6.9.12-98
6.9.12-99
6.9.13-0
6.9.13-1
6.9.13-10
6.9.13-11
6.9.13-12
6.9.13-13
6.9.13-14
6.9.13-15
6.9.13-16
6.9.13-17
6.9.13-18
6.9.13-19
6.9.13-2
6.9.13-21
6.9.13-22
6.9.13-23
6.9.13-24
6.9.13-25
6.9.13-26
6.9.13-27
6.9.13-28
6.9.13-29
6.9.13-3
6.9.13-30
6.9.13-31
6.9.13-32
6.9.13-33
6.9.13-34
6.9.13-35
6.9.13-36
6.9.13-37
6.9.13-38
6.9.13-39
6.9.13-4
6.9.13-40
6.9.13-41
6.9.13-42
6.9.13-43
6.9.13-5
6.9.13-6
6.9.13-7
6.9.13-8
6.9.13-9
6.9.4-0
6.9.4-1
6.9.4-10
6.9.4-2
6.9.4-3
6.9.4-4
6.9.4-5
6.9.4-6
6.9.4-7
6.9.4-8
6.9.4-9
6.9.5-0
6.9.5-1
6.9.5-10
6.9.5-2
6.9.5-3
6.9.5-4
6.9.5-5
6.9.5-6
6.9.5-7
6.9.5-8
6.9.5-9
6.9.6-0
6.9.6-1
6.9.6-2
6.9.6-3
6.9.6-4
6.9.6-5
6.9.6-6
6.9.6-7
6.9.6-8
6.9.7-0
6.9.7-1
6.9.7-10
6.9.7-2
6.9.7-3
6.9.7-4
6.9.7-5
6.9.7-6
6.9.7-7
6.9.7-8
6.9.7-9
6.9.8-0
6.9.8-1
6.9.8-10
6.9.8-2
6.9.8-3
6.9.8-4
6.9.8-5
6.9.8-6
6.9.8-7
6.9.8-8
6.9.8-9
6.9.9-0
6.9.9-1
6.9.9-10
6.9.9-11
6.9.9-12
6.9.9-13
6.9.9-14
6.9.9-15
6.9.9-17
6.9.9-18
6.9.9-19
6.9.9-2
6.9.9-20
6.9.9-21
6.9.9-22
6.9.9-23
6.9.9-24
6.9.9-25
6.9.9-26
6.9.9-27
6.9.9-28
6.9.9-29
6.9.9-3
6.9.9-30
6.9.9-31
6.9.9-32
6.9.9-33
6.9.9-34
6.9.9-35
6.9.9-36
6.9.9-37
6.9.9-38
6.9.9-39
6.9.9-4
6.9.9-40
6.9.9-41
6.9.9-42
6.9.9-43
6.9.9-44
6.9.9-45
6.9.9-46
6.9.9-47
6.9.9-48
6.9.9-49
6.9.9-5
6.9.9-50
6.9.9-51
6.9.9-6
6.9.9-7
6.9.9-8
6.9.9-9

Database specific

source 
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-33899.json"