CVE-2026-55379
- EPSS 0.36%
- Veröffentlicht 06.07.2026 18:52:11
- Zuletzt bearbeitet 07.07.2026 18:59:01
Pillow is a Python imaging library. Prior to 12.3.0, PIL/BdfFontFile.py bdf_char() read the BBX width and height field from a BDF font file and passed attacker-controlled dimensions to Image.new() without calling Image._decompression_bomb_check(), by...
CVE-2026-55380
- EPSS 0.36%
- Veröffentlicht 06.07.2026 18:50:14
- Zuletzt bearbeitet 07.07.2026 18:58:54
Pillow is a Python imaging library. Prior to 12.3.0, PIL/GdImageFile.py GdImageFile._open() read image dimensions from the GD 2.x header and stored them in self._size without calling Image._decompression_bomb_check(), allowing a crafted .gd file to t...
CVE-2026-54060
- EPSS 0.36%
- Veröffentlicht 06.07.2026 18:49:23
- Zuletzt bearbeitet 07.07.2026 18:58:45
Pillow is a Python imaging library. Prior to 12.3.0, PIL/FontFile.py FontFile.compile() assembled per-glyph images into a combined bitmap with Image.new("1", (xsize, ysize)) without calling Image._decompression_bomb_check(), allowing a font to trigge...
CVE-2026-54059
- EPSS 0.35%
- Veröffentlicht 06.07.2026 18:46:09
- Zuletzt bearbeitet 07.07.2026 18:58:26
Pillow is a Python imaging library. Prior to 12.3.0, PIL/PcfFontFile.py _load_bitmaps() read glyph dimensions from the PCF METRICS section and passed them directly to Image.frombytes() without calling Image._decompression_bomb_check(), allowing craft...
CVE-2026-55798
- EPSS 0.14%
- Veröffentlicht 06.07.2026 18:44:38
- Zuletzt bearbeitet 07.07.2026 18:58:33
Pillow is a Python imaging library. Prior to 12.3.0, WindowsViewer.get_command() constructed a cmd.exe shell command by directly embedding a file path into an f-string without escaping and passed the result to subprocess.Popen(..., shell=True), allow...
CVE-2026-42311
- EPSS 0.15%
- Veröffentlicht 09.05.2026 04:11:58
- Zuletzt bearbeitet 14.05.2026 20:27:45
Pillow is a Python imaging library. From version 10.3.0 to before version 12.2.0, processing a malicious PSD file could lead to memory corruption, potentially resulting in a crash or arbitrary code execution. This issue has been patched in version 12...
CVE-2026-42310
- EPSS 0.13%
- Veröffentlicht 09.05.2026 04:10:48
- Zuletzt bearbeitet 12.05.2026 17:55:38
Pillow is a Python imaging library. From version 4.2.0 to before version 12.2.0, an attacker can supply a malicious PDF that causes the process to hang indefinitely, consuming 100% CPU and making the application unresponsive. This issue has been patc...
CVE-2026-42308
- EPSS 0.11%
- Veröffentlicht 09.05.2026 04:09:01
- Zuletzt bearbeitet 12.05.2026 17:57:20
Pillow is a Python imaging library. Prior to version 12.2.0, if a font advances for each glyph by an exceeding large amount, when Pillow keeps track of the current position, it may lead to an integer overflow. This issue has been patched in version 1...
CVE-2026-42309
- EPSS 0.13%
- Veröffentlicht 09.05.2026 04:08:10
- Zuletzt bearbeitet 12.05.2026 17:57:24
Pillow is a Python imaging library. From version 11.2.1 to before version 12.2.0, passing nested lists as coordinates to APIs that accept coordinates such as ImagePath.Path, ImageDraw.ImageDraw.polygon and ImageDraw.ImageDraw.line could cause a heap ...
CVE-2026-40192
- EPSS 0.67%
- Veröffentlicht 15.04.2026 23:16:10
- Zuletzt bearbeitet 02.07.2026 12:17:14
Pillow is a Python imaging library. Versions 10.3.0 through 12.1.1 did not limit the amount of GZIP-compressed data read when decoding a FITS image, making them vulnerable to decompression bomb attacks. A specially crafted FITS file could cause unbou...