Important: python-pillow

🗓️ 05 Mar 2026 00:00:00Reported by AmazonType

amazon

amazon🔗 alas.aws.amazon.com👁 2 Views

Pillow is vulnerable to out-of-bounds writes on crafted photoshop docs; fixed in version 12.1.1.

Reporter	Title	Published	Views	Family All 94
IBM Security Bulletins	Security Bulletin: IBM Maximo Application Suite - Monitor Component uses pillow-12.1.0-cp311-cp311-manylinux_2_27_x86_64.manylinux_2_28_x86_64.whl which is vulnerable to CVE-2026-25990.	30 Mar 202607:17	–	ibm
IBM Security Bulletins	Security Bulletin: IBM Edge Data Collector uses pillow-10.3.0-cp39-cp39-manylinux_2_28_x86_64.whl which is vulnerable to CVE-2026-25990.	16 Apr 202607:34	–	ibm
IBM Security Bulletins	Security Bulletin: IBM Maximo Application Suite uses multiple third party dependencies which is vulnerable to multiple CVEs.	30 Apr 202612:13	–	ibm
IBM Security Bulletins	Security Bulletin: Vulnerability in Pillowy affects IBM watsonx Assistant Cartridge and IBM watsonx Orchestrate with watsonx Assistant Cartridge.	4 May 202614:25	–	ibm
IBM Security Bulletins	Security Bulletin: EDB PGAI Hybrid Management with IBM is affected by Multiple Vulnerabilities.	6 May 202615:18	–	ibm
IBM Security Bulletins	Security Bulletin: IBM Maximo Application Suite - Visual Inspection component uses pillow-11.3.0 which is vulnerable to CVE-2026-25990	27 May 202615:01	–	ibm
IBM Security Bulletins	Security Bulletin: IBM Watson Speech Services Cartridge is vulnerable to an Out-of-bounds Write in Python Pillow [CVE-2026-25990]	14 Apr 202615:06	–	ibm
IBM Security Bulletins	Security Bulletin: Multiple Vulnerabilities in IBM watsonx Code Assistant On Prem	16 Mar 202613:27	–	ibm
ATTACKERKB	CVE-2026-25990	11 Feb 202620:53	–	attackerkb
Tenable Nessus	Amazon Linux 2023 : python3-pillow, python3-pillow-devel, python3-pillow-tk (ALAS2023-2026-1452)	6 Mar 202600:00	–	nessus

OS	OS Version	Architecture	Package	Package Version	Filename
Amazon Linux	2	aarch64	python-pillow-debuginfo	9.4.0-2.amzn2023.0.7	python-pillow-debuginfo-9.4.0-2.amzn2023.0.7.aarch64.rpm
Amazon Linux	2	x86_64	python-pillow-debuginfo	9.4.0-2.amzn2023.0.7	python-pillow-debuginfo-9.4.0-2.amzn2023.0.7.x86_64.rpm
Amazon Linux	2	aarch64	python-pillow-debugsource	9.4.0-2.amzn2023.0.7	python-pillow-debugsource-9.4.0-2.amzn2023.0.7.aarch64.rpm
Amazon Linux	2	x86_64	python-pillow-debugsource	9.4.0-2.amzn2023.0.7	python-pillow-debugsource-9.4.0-2.amzn2023.0.7.x86_64.rpm
Amazon Linux	2	aarch64	python3-pillow	9.4.0-2.amzn2023.0.7	python3-pillow-9.4.0-2.amzn2023.0.7.aarch64.rpm
Amazon Linux	2	x86_64	python3-pillow	9.4.0-2.amzn2023.0.7	python3-pillow-9.4.0-2.amzn2023.0.7.x86_64.rpm
Amazon Linux	2	aarch64	python3-pillow-debuginfo	9.4.0-2.amzn2023.0.7	python3-pillow-debuginfo-9.4.0-2.amzn2023.0.7.aarch64.rpm
Amazon Linux	2	x86_64	python3-pillow-debuginfo	9.4.0-2.amzn2023.0.7	python3-pillow-debuginfo-9.4.0-2.amzn2023.0.7.x86_64.rpm
Amazon Linux	2	aarch64	python3-pillow-devel	9.4.0-2.amzn2023.0.7	python3-pillow-devel-9.4.0-2.amzn2023.0.7.aarch64.rpm
Amazon Linux	2	x86_64	python3-pillow-devel	9.4.0-2.amzn2023.0.7	python3-pillow-devel-9.4.0-2.amzn2023.0.7.x86_64.rpm

05 Mar 2026 00:00Current

5.8Medium risk

Vulners AI Score5.8

CVSS 3.17.5

CVSS 49.3

EPSS0.00014

SSVC

pillow out of bounds crafted photoshop doc update guidance amazon linux