Lucene search
+L

173 matches found

osv
osv
added yesterday3 views

BIT-PILLOW-2026-59205 Pillow: Controlled heap out-of-bounds write in `ImageCmsTransform.apply()` via output mode mismatch

Pillow is a Python imaging library. Prior to 12.3.0, Pillow's ImageCms.ImageCmsTransform.applyim, imOut API can trigger controlled native heap corruption when the caller supplies an output image whose mode does not match the transform's declared output mode. This issue is fixed in version 12.3.0...

7.5CVSS6.1AI score0.0039EPSS
Exploits1References5
osv
osv
added 2 days ago3 views

DEBIAN-CVE-2026-59197

Pillow is a Python imaging library. Prior to 12.3.0, Pillow's public rank-filter API can trigger a native heap out-of-bounds write when given a very large odd filter size because ImageFilter.RankFilter.filter calls image.expandsize // 2, size // 2 before rank-filter size validation and...

8.2CVSS6.1AI score0.00397EPSS
Exploits0References1
osv
osv
added 2 days ago3 views

DEBIAN-CVE-2026-59204

Pillow is a Python imaging library. From 8.2.0 through 12.2.0, src/libImaging/Jpeg2KDecode.c accumulates totalcomponentwidth across every tile in a JPEG2000 image instead of recomputing it per tile, allowing a crafted tiled JPEG2000 file to force substantially higher transient memory usage and...

7.5CVSS6.1AI score0.00398EPSS
Exploits1References1
osv
osv
added 2 days ago5 views

DEBIAN-CVE-2026-59199

Pillow is a Python imaging library. Prior to 12.3.0, Pillow public image coordinate APIs can trigger a native heap out-of-bounds write when given coordinates near the signed 32-bit integer limits in Image.paste, Image.crop, or Image.alphacomposite. This issue is fixed in version 12.3.0...

7.5CVSS6.1AI score0.0039EPSS
Exploits1References1
osv
osv
added 2 days ago3 views

CVE-2026-59198 Pillow TGA RLE encoder can serialize up to ~57 KB of adjacent heap data into generated images

Pillow is a Python imaging library. From 5.2.0 until 12.3.0, Pillow's TGA RLE encoder reads past its packed row buffer when saving a mode 1 image with TGA RLE compression, allowing adjacent process heap bytes to be copied into the generated TGA file. This issue is fixed in version 12.3.0...

6.5CVSS6.1AI score0.00313EPSS
Exploits1References6
cve
cve
added 2 days ago10 views

CVE-2026-59199

Pillow (Python imaging library) prior to 12.3.0 is affected by a heap out-of-bounds write in public image coordinate APIs when coordinates near signed 32-bit limits are provided to Image.paste(), Image.crop(), or Image.alpha_composite(). The issue is fixed in 12.3.0. Affected component: Pillow’s ...

7.5CVSS6.1AI score0.0039EPSS
Exploits1References4Affected Software1
redhat
redhat
added 2 days ago7 views

python-pillow: Pillow: Denial of Service via crafted PCF font data

A flaw was found in Pillow, a Python imaging library. A remote attacker could exploit this vulnerability by providing specially crafted PCF font data. This data, when processed, can lead to excessive memory allocation because the library does not properly check for decompression bombs. The primar...

7.5CVSS6AI score0.00354EPSS
Exploits1References7
opensuse
opensuse
added 2 days ago3 views

python313-Pillow-12.3.0-1.1 on GA media (moderate)

python313-Pillow-12.3.0-1.1 on GA media Announcement ID: openSUSE-SU-2026:11261-1 Rating: moderate Cross-References: CVE-2014-3589 CVE-2014-3598 CVE-2016-0740 CVE-2016-0775 CVE-2016-3076 CVE-2020-15999 CVE-2020-35653 CVE-2020-35654 CVE-2020-35655 CVE-2021-23437 CVE-2021-25289 CVE-2021-25290...

9.8CVSS6.7AI score0.5063EPSS
Exploits5
osv
osv
added 2026/07/08 11:34 a.m.6 views

BIT-PILLOW-2026-55380 Pillow GdImageFile decompression bomb protection bypass

Pillow is a Python imaging library. Prior to 12.3.0, PIL/GdImageFile.py GdImageFile.open read image dimensions from the GD 2.x header and stored them in self.size without calling Image.decompressionbombcheck, allowing a crafted .gd file to trigger excessive C-heap allocation when loaded. This iss...

7.5CVSS6AI score0.00361EPSS
Exploits1References4
osv
osv
added 2026/07/08 11:34 a.m.6 views

BIT-PILLOW-2026-54060 Pillow: `FontFile.compile()`: `Image.new()` called without `_decompression_bomb_check()`

Pillow is a Python imaging library. Prior to 12.3.0, PIL/FontFile.py FontFile.compile assembled per-glyph images into a combined bitmap with Image.new"1", xsize, ysize without calling Image.decompressionbombcheck, allowing a font to trigger excessive allocation during conversion or saving. This...

7.5CVSS5.9AI score0.00361EPSS
Exploits1References4
susecve
susecve
added 2026/07/07 3:13 p.m.14 views

SUSE CVE-2026-54059

Pillow is a Python imaging library. Prior to 12.3.0, PIL/PcfFontFile.py loadbitmaps read glyph dimensions from the PCF METRICS section and passed them directly to Image.frombytes without calling Image.decompressionbombcheck, allowing crafted PCF font data to cause excessive memory allocation. Thi...

7.5CVSS6AI score0.00354EPSS
Exploits1References3
susecve
susecve
added 2026/07/07 3:13 p.m.9 views

SUSE CVE-2026-54060

Pillow is a Python imaging library. Prior to 12.3.0, PIL/FontFile.py FontFile.compile assembled per-glyph images into a combined bitmap with Image.new"1", xsize, ysize without calling Image.decompressionbombcheck, allowing a font to trigger excessive allocation during conversion or saving. This...

7.5CVSS6AI score0.00361EPSS
Exploits1References3
susecve
susecve
added 2026/07/07 3:13 p.m.9 views

SUSE CVE-2026-55379

Pillow is a Python imaging library. Prior to 12.3.0, PIL/BdfFontFile.py bdfchar read the BBX width and height field from a BDF font file and passed attacker-controlled dimensions to Image.new without calling Image.decompressionbombcheck, bypassing Pillow's documented decompression bomb protection...

7.5CVSS6AI score0.00364EPSS
Exploits1References3
susecve
susecve
added 2026/07/07 3:13 p.m.10 views

SUSE CVE-2026-55380

Pillow is a Python imaging library. Prior to 12.3.0, PIL/GdImageFile.py GdImageFile.open read image dimensions from the GD 2.x header and stored them in self.size without calling Image.decompressionbombcheck, allowing a crafted .gd file to trigger excessive C-heap allocation when loaded. This iss...

7.5CVSS6AI score0.00361EPSS
Exploits1References3
redhatcve
redhatcve
added 2026/07/07 11:58 a.m.7 views

CVE-2026-54059

A flaw was found in Pillow, a Python imaging library. A remote attacker could exploit this vulnerability by providing specially crafted PCF font data. This data, when processed, can lead to excessive memory allocation because the library does not properly check for decompression bombs. The primar...

7.5CVSS6AI score0.00354EPSS
Exploits1References6
nessus
nessus
added 2026/07/07 12:0 a.m.9 views

Linux Distros Unpatched Vulnerability : CVE-2026-54060

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Pillow is a Python imaging library. Prior to 12.3.0, PIL/FontFile.py FontFile.compile assembled per- glyph images into a combined bitmap with Image.new1, xsize,...

7.5CVSS6.1AI score0.00361EPSS
Exploits1References4
nvd
nvd
added 2026/07/06 7:17 p.m.8 views

CVE-2026-54059

Pillow is a Python imaging library. Prior to 12.3.0, PIL/PcfFontFile.py loadbitmaps read glyph dimensions from the PCF METRICS section and passed them directly to Image.frombytes without calling Image.decompressionbombcheck, allowing crafted PCF font data to cause excessive memory allocation. Thi...

7.5CVSS0.00354EPSS
Exploits1References3
nvd
nvd
added 2026/07/06 7:17 p.m.6 views

CVE-2026-55380

Pillow is a Python imaging library. Prior to 12.3.0, PIL/GdImageFile.py GdImageFile.open read image dimensions from the GD 2.x header and stored them in self.size without calling Image.decompressionbombcheck, allowing a crafted .gd file to trigger excessive C-heap allocation when loaded. This iss...

7.5CVSS0.00361EPSS
Exploits1References3
osv
osv
added 2026/07/06 6:50 p.m.4 views

CVE-2026-55380 Pillow GdImageFile decompression bomb protection bypass

Pillow is a Python imaging library. Prior to 12.3.0, PIL/GdImageFile.py GdImageFile.open read image dimensions from the GD 2.x header and stored them in self.size without calling Image.decompressionbombcheck, allowing a crafted .gd file to trigger excessive C-heap allocation when loaded. This iss...

7.5CVSS6AI score0.00361EPSS
Exploits1References5
debiancve
debiancve
added 2026/07/06 6:50 p.m.6 views

CVE-2026-55380

Pillow is a Python imaging library. Prior to 12.3.0, PIL/GdImageFile.py GdImageFile.open read image dimensions from the GD 2.x header and stored them in self.size without calling Image.decompressionbombcheck, allowing a crafted .gd file to trigger excessive C-heap allocation when loaded. This iss...

7.5CVSS6AI score0.00361EPSS
Exploits1
Rows per page
Query Builder