pillow
PyPI60 known CVEs affecting this package
Aggregated from OSV, GitHub Security Advisories, NVD, and vendor advisories. Each CVE links to its full detail page with vendor advisories, patches, fixed versions, and remediation guidance.
CVEs affecting pillowpage 2 of 2
- CVE-2023-44271HIGHCVSS 7.5EG 7.5✓ Fixed in 10.0.02023-11-03
vulnerable: 1.0 ... 9.5.0 (92 versions)
An issue was discovered in Pillow before 10.0.0. It is a Denial of Service that uncontrollably allocates memory to process a given task, potentially causing a service to crash by having it run out of memory. This occurs for truetype in Ima…
- CVE-2023-4863HIGHCVSS 8.8EG 9.0⚠ KEV✓ Fixed in 10.0.12023-09-12
vulnerable: 1.0 ... 9.5.0 (93 versions)
Heap buffer overflow in libwebp in Google Chrome prior to 116.0.5845.187 and libwebp 1.3.2 allowed a remote attacker to perform an out of bounds memory write via a crafted HTML page. (Chromium security severity: Critical)
- CVE-2023-50447HIGHCVSS 8.1EG 8.1✓ Fixed in 10.2.02024-01-19
vulnerable: 1.0 ... 9.5.0 (95 versions)
Pillow through 10.1.0 allows PIL.ImageMath.eval Arbitrary Code Execution via the environment parameter, a different vulnerability than CVE-2022-22817 (which was about the expression parameter).
- CVE-2024-28219MEDIUMCVSS 6.7EG 6.7✓ Fixed in 10.3.02024-04-03
vulnerable: 1.0 ... 9.5.0 (96 versions)
In _imagingcms.c in Pillow before 10.3.0, a buffer overflow exists because strcpy is used instead of strncpy.
- CVE-2026-25990HIGHCVSS 7.5EG 7.5✓ Fixed in 12.1.12026-02-11
vulnerable: 10.3.0 ... 12.1.0 (8 versions)
Pillow is a Python imaging library. From 10.3.0 to before 12.1.1, an out-of-bounds write may be triggered when loading a specially crafted PSD image. This vulnerability is fixed in 12.1.1.
- CVE-2026-40192HIGHCVSS 7.5EG 7.5✓ Fixed in 12.2.02026-04-15
vulnerable: 10.3.0 ... 12.1.1 (9 versions)
Pillow is a Python imaging library. Versions 10.3.0 through 12.1.1 did not limit the amount of GZIP-compressed data read when decoding a FITS image, making them vulnerable to decompression bomb attacks. A specially crafted FITS file could …
- CVE-2026-42308MEDIUMCVSS 5.5EG 5.5✓ Fixed in 12.2.02026-05-09
vulnerable: 1.0 ... 9.5.0 (105 versions)
Pillow is a Python imaging library. Prior to version 12.2.0, if a font advances for each glyph by an exceeding large amount, when Pillow keeps track of the current position, it may lead to an integer overflow. This issue has been patched i…
- CVE-2026-42309MEDIUMCVSS 5.5EG 5.5✓ Fixed in 12.2.02026-05-09
vulnerable: 11.2.1, 11.3.0, 12.0.0, 12.1.0, 12.1.1
Pillow is a Python imaging library. From version 11.2.1 to before version 12.2.0, passing nested lists as coordinates to APIs that accept coordinates such as ImagePath.Path, ImageDraw.ImageDraw.polygon and ImageDraw.ImageDraw.line could ca…
- CVE-2026-42310MEDIUMCVSS 5.5EG 5.5✓ Fixed in 12.2.02026-05-09
vulnerable: 10.0.0 ... 9.5.0 (51 versions)
Pillow is a Python imaging library. From version 4.2.0 to before version 12.2.0, an attacker can supply a malicious PDF that causes the process to hang indefinitely, consuming 100% CPU and making the application unresponsive. This issue ha…
- CVE-2026-42311HIGHCVSS 7.8EG 7.8✓ Fixed in 12.2.02026-05-09
vulnerable: 10.3.0 ... 12.1.1 (9 versions)
Pillow is a Python imaging library. From version 10.3.0 to before version 12.2.0, processing a malicious PSD file could lead to memory corruption, potentially resulting in a crash or arbitrary code execution. This issue has been patched in…
Check whether pillow is used in your infrastructure
EchelonGraph scans your cloud and SBOMs to map every package to your actual deployments. See blast radius for pillow CVEs against the assets you own.
Start Free Scan →