Fluid Attacks Database

Description

ImageMagick: Policy Bypass in PSD decoder Due to a missing check in the PSD decoder it would be possible to bypass the list-length resource policy when decoding a PSD image. Other security limits would still apply.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
nuget	magick.net-q16-hdri-anycpu	>=0 <14.13.1	14.13.1
nuget	magick.net-q16-hdri-arm64	>=0 <14.13.1	14.13.1
nuget	magick.net-q16-hdri-openmp-arm64	>=0 <14.13.1	14.13.1
nuget	magick.net-q16-hdri-openmp-x64	>=0 <14.13.1	14.13.1
nuget	magick.net-q16-arm64	>=0 <14.13.1	14.13.1
nuget	magick.net-q16-x86	>=0 <14.13.1	14.13.1
nuget	magick.net-q16-anycpu	>=0 <14.13.1	14.13.1
nuget	magick.net-q16-hdri-x64	>=0 <14.13.1	14.13.1
nuget	magick.net-q16-hdri-x86	>=0 <14.13.1	14.13.1
nuget	magick.net-q16-openmp-arm64	>=0 <14.13.1	14.13.1

1-10 of 18

Aliases

1. CVE-2026-450312. NVD-2026-450313. OSV-2026-450314. GHSA-cwpj-h54c-xjpx5. GCVE-2026-45031

References

1. https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-cwpj-h54c-xjpx