diff --git a/CHANGELOG.md b/CHANGELOG.md
index caddceeb1..979f0fc31 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -57,6 +57,7 @@
 - Fix bug in collapsing/expanding folders with some special characters in names (#9324)
 - Fix PHP8 warnings (#9363, #9365, #9429)
 - Fix missing field labels in CSV import, for some locales (#9393)
+- Fix command injection via crafted im_convert_path/im_identify_path on Windows
 
 ## Release 1.6.6
 
diff --git a/program/lib/Roundcube/rcube_image.php b/program/lib/Roundcube/rcube_image.php
index 7f2e22c4c..9dbeb4703 100644
--- a/program/lib/Roundcube/rcube_image.php
+++ b/program/lib/Roundcube/rcube_image.php
@@ -487,18 +487,20 @@ class rcube_image
     {
         static $error = [];
 
-        $cmd = rcube::get_instance()->config->get($opt_name);
+        $cmd = (string) rcube::get_instance()->config->get($opt_name);
 
         if (empty($cmd)) {
             return false;
         }
 
+        $cmd = trim($cmd);
+
         if (preg_match('/^(convert|identify)(\.exe)?$/i', $cmd)) {
             return $cmd;
         }
 
         // Executable must exist, also disallow network shares on Windows
-        if ($cmd[0] != '\\' && file_exists($cmd)) {
+        if ($cmd[0] !== '\\' && strpos($cmd, '//') !== 0 && file_exists($cmd)) {
             return $cmd;
         }