Death by magic
The ‘magic’ part of ImageMagick is the problem here. One of its main selling points is that it just works and does something at least kind-of-useful with almost any file type you might want to convert to an image and process so. Which is very nice when you need it.
But it is also exactly the wrong approach for untrusted input.
Does a web image gallery really need converters from PoV-Ray, manual pages and HTTPS (sic)?