ImageMagick vulnerabilities: known CVEs & security history
ImageMagick · Actively exploited · 767 tracked CVEs · 3 actively exploited · updated June 2026 · what is a CVE? →
This is the full list of known vulnerabilities (CVEs) across all ImageMagick release lines — 767 in total, with 3 actively exploited in the wild. A CVE here doesn't mean your version is affected — check ImageMagick's current status and the safe version to run.
Known ImageMagick CVEs
Actively-exploited and most-severe first. Showing the top 80 of 767. Open any CVE for full details.
| CVE | Severity | CVSS | EPSS | Year |
|---|---|---|---|---|
| CVE-2016-3714⚡ exploited | high | 8.4 | 97% | 2016 |
| CVE-2016-3718⚡ exploited | medium | 5.5 | 77% | 2016 |
| CVE-2016-3715⚡ exploited | medium | 5.5 | 75% | 2016 |
| CVE-2023-34152 | critical | 9.8 | 8% | 2023 |
| CVE-2019-19952 | critical | 9.8 | 2% | 2019 |
| CVE-2019-19948 | critical | 9.8 | 4% | 2019 |
| CVE-2018-16329 | critical | 9.8 | 2% | 2018 |
| CVE-2018-16328 | critical | 9.8 | 2% | 2018 |
| CVE-2018-14551 | critical | 9.8 | 4% | 2018 |
| CVE-2017-18211 | critical | 9.8 | 4% | 2018 |
| CVE-2017-18210 | critical | 9.8 | 3% | 2018 |
| CVE-2017-17499 | critical | 9.8 | 3% | 2017 |
| CVE-2017-15032 | critical | 9.8 | 2% | 2017 |
| CVE-2017-14626 | critical | 9.8 | 3% | 2017 |
| CVE-2017-14625 | critical | 9.8 | 3% | 2017 |
| CVE-2017-14624 | critical | 9.8 | 3% | 2017 |
| CVE-2017-14532 | critical | 9.8 | 3% | 2017 |
| CVE-2017-14138 | critical | 9.8 | 2% | 2017 |
| CVE-2017-13139 | critical | 9.8 | 4% | 2017 |
| CVE-2014-9826 | critical | 9.8 | 4% | 2017 |
| CVE-2017-5511 | critical | 9.8 | 5% | 2017 |
| CVE-2016-10145 | critical | 9.8 | 5% | 2017 |
| CVE-2016-10144 | critical | 9.8 | 5% | 2017 |
| CVE-2014-9847 | critical | 9.8 | 4% | 2017 |
| CVE-2014-9846 | critical | 9.8 | 5% | 2017 |
| CVE-2014-9843 | critical | 9.8 | 4% | 2017 |
| CVE-2014-9841 | critical | 9.8 | 4% | 2017 |
| CVE-2014-9852 | critical | 9.8 | 3% | 2017 |
| CVE-2016-5239 | critical | 9.8 | 3% | 2017 |
| CVE-2016-5841 | critical | 9.8 | 13% | 2016 |
| CVE-2016-5691 | critical | 9.8 | 5% | 2016 |
| CVE-2016-5690 | critical | 9.8 | 5% | 2016 |
| CVE-2016-5689 | critical | 9.8 | 5% | 2016 |
| CVE-2016-5687 | critical | 9.8 | 5% | 2016 |
| CVE-2016-5118 | critical | 9.8 | 49% | 2016 |
| CVE-2016-4564 | critical | 9.8 | 3% | 2016 |
| CVE-2019-19949 | critical | 9.1 | 3% | 2019 |
| CVE-2016-6520 | critical | 9.1 | 4% | 2016 |
| CVE-2004-0981 | high | 10 | 6% | 2005 |
| CVE-2009-1882 | high | 9.3 | 7% | 2009 |
| CVE-2007-4987 | high | 9.3 | 4% | 2007 |
| CVE-2007-0770 | high | 9.3 | 5% | 2007 |
| CVE-2006-5868 | high | 9.3 | 3% | 2006 |
| CVE-2025-55154 | high | 8.8 | 1% | 2025 |
| CVE-2014-2030 | high | 8.8 | 11% | 2020 |
| CVE-2014-1958 | high | 8.8 | 3% | 2020 |
| CVE-2019-17547 | high | 8.8 | 2% | 2019 |
| CVE-2019-17541 | high | 8.8 | 2% | 2019 |
| CVE-2019-17540 | high | 8.8 | 2% | 2019 |
| CVE-2019-15140 | high | 8.8 | 4% | 2019 |
| CVE-2019-13391 | high | 8.8 | 3% | 2019 |
| CVE-2019-13308 | high | 8.8 | 3% | 2019 |
| CVE-2019-13303 | high | 8.8 | 2% | 2019 |
| CVE-2019-13302 | high | 8.8 | 2% | 2019 |
| CVE-2019-13300 | high | 8.8 | 3% | 2019 |
| CVE-2019-13299 | high | 8.8 | 2% | 2019 |
| CVE-2019-13298 | high | 8.8 | 2% | 2019 |
| CVE-2019-13297 | high | 8.8 | 3% | 2019 |
| CVE-2019-13295 | high | 8.8 | 3% | 2019 |
| CVE-2019-13135 | high | 8.8 | 3% | 2019 |
| CVE-2019-9956 | high | 8.8 | 6% | 2019 |
| CVE-2018-16413 | high | 8.8 | 4% | 2018 |
| CVE-2018-16412 | high | 8.8 | 4% | 2018 |
| CVE-2018-12600 | high | 8.8 | 3% | 2018 |
| CVE-2018-12599 | high | 8.8 | 3% | 2018 |
| CVE-2018-11625 | high | 8.8 | 2% | 2018 |
| CVE-2018-11624 | high | 8.8 | 2% | 2018 |
| CVE-2018-9135 | high | 8.8 | 2% | 2018 |
| CVE-2018-8960 | high | 8.8 | 4% | 2018 |
| CVE-2018-8804 | high | 8.8 | 4% | 2018 |
| CVE-2017-18209 | high | 8.8 | 3% | 2018 |
| CVE-2018-5248 | high | 8.8 | 4% | 2018 |
| CVE-2017-17880 | high | 8.8 | 1% | 2017 |
| CVE-2017-17879 | high | 8.8 | 3% | 2017 |
| CVE-2017-16546 | high | 8.8 | 2% | 2017 |
| CVE-2017-15281 | high | 8.8 | 3% | 2017 |
| CVE-2017-15017 | high | 8.8 | 2% | 2017 |
| CVE-2017-15016 | high | 8.8 | 2% | 2017 |
| CVE-2017-15015 | high | 8.8 | 1% | 2017 |
| CVE-2017-14682 | high | 8.8 | 2% | 2017 |
687 older / lower-severity CVEs not shown — see ImageMagick's full record.
Is my ImageMagick version affected?
The list above spans every release. To know whether your version is affected — and the minimum safe version to upgrade to — check it directly.
Check your ImageMagick version → · Monitor ImageMagick for new CVEs →
ImageMagick vulnerabilities — frequently asked
How many known vulnerabilities does ImageMagick have?
IsItPatched tracks 767 CVEs for ImageMagick, 3 of which are actively exploited (CISA KEV). 35 are critical-severity and 215 high-severity. These span every release line — what matters is whether the version you run is affected.
Does ImageMagick have any actively-exploited vulnerabilities?
Yes — 3 ImageMagick CVEs are in CISA's Known Exploited Vulnerabilities catalog, meaning they are confirmed exploited in the wild. Patch these as a priority.
What is the most severe ImageMagick vulnerability?
Among tracked issues, CVE-2016-3714 (HIGH, CVSS 8.4), which is actively exploited, ranks highest — a Improper input validation weakness.
Is ImageMagick safe to use?
It depends on the version. The latest supported ImageMagick release clears the known issues; older versions may still be affected. Check the exact version you run for a verdict.
CVE data aggregated from NVD, CISA KEV and EPSS (FIRST.org). Related: ImageMagick security status · ImageMagick end-of-life · actively-exploited CVEs. Always verify against ImageMagick's advisories — see our disclaimer.