60 matches found
CVE-2022-22817
CVE-2022-22817 affects Pillow’s PIL.ImageMath.eval before 9.0.0, enabling evaluation of arbitrary expressions (including code execution) via the expression parameter; a workaround/change was introduced in Pillow 9.0.0 to restrict builtins. Upgrading to 9.0.0+ (per Pillow release notes) is the adv...
CVE-2023-50447
Summary: CVE-2023-50447 affects Pillow up to 10.1.0, enabling Arbitrary Code Execution via the environment parameter in PIL.ImageMath.eval. This is a separate issue from CVE-2022-22817 (expression parameter). What’s affected: Pillow library in Python projects (Pillow versions up to 10.1.0). Root ...
CVE-2019-16865
Pillow CVE-2019-16865 affects Pillow
CVE-2024-28219
CVE-2024-28219 affects the Pillow Python imaging library. In _imagingcms.c, a buffer overflow was introduced because strcpy was used instead of a safer copy like strncpy, impacting Pillow before version 10.3.0. The issue filename and function indicate a likely overflow related to fixed-length str...
CVE-2021-34552
Pillow (Python Imaging Library) vulnerability CVE-2021-34552: Buffer overflow in Convert.c when passing controlled parameters to convert(), affecting Pillow <= 8.2.0 and PIL
CVE-2021-25290
Pillow up to version 8.1.1 contains a vulnerability in the TIFF image reader: a negative-offset memcpy with an invalid size in TiffDecode.c. This can lead to memory corruption. The issue is documented as CVE-2021-25290 and is referenced in multiple advisories (e.g., Debian, AlmaLinux, Amazon Linu...
CVE-2020-5312
CVE-2020-5312 is a Pillow vulnerability where libImaging/PcxDecode.c may overflow the PCX P mode buffer in Pillow versions before 6.2.2. The issue arises during decoding PCX images and could impact memory handling in affected builds. Public advisories and release notes indicate upgrading Pillow t...
CVE-2020-5313
Pillow (libImaging/FliDecode.c) has an FLI buffer overflow in versions before 6.2.2. Affected: Pillow/Python imaging library; root cause is an FLI decode buffer overflow. Impact is described as overflow in loading FLI images. Remediation: upgrade to Pillow 6.2.2 or later (per the CVE entry and ve...
CVE-2020-5311
Pillow’s vulnerability CVE-2020-5311 affects the libImaging/SgiRleDecode.c path and is triggered by an SGI buffer overflow in Pillow versions before 6.2.2. The issue is in the SGI image parsing code, not in a user-provided input path description; impact is partial to high depending on exposure of...
CVE-2020-35653
CVE-2020-35653 affects Pillow up to version 8.0.x, where the PCX decoder (PcxDecode) may trigger a buffer over-read when processing a crafted PCX file because the user-supplied stride is trusted for buffer calculations. The issue is documented across multiple adapters (e.g., Debian, Arch, AlmaLin...
CVE-2020-5310
CVE-2020-5310 affects Pillow’s TIFF decoding path, specifically libImaging/TiffDecode.c. The root cause is a TIFF decoding integer overflow tied to memory reallocation (realloc), exposing Pillow versions prior to 6.2.2 to potential crash or compromise when processing crafted TIFF images. Affected...
CVE-2021-25293
The CVE-2021-25293 issue is in Pillow prior to 8.1.1, caused by an out-of-bounds read in SGIRleDecode.c. Affected: Pillow up to version 8.1.1. Impact: information about the exact impact is described in the CVE entry; the connected documents confirm the vulnerability. Remediation: upgrade Pillow t...
CVE-2021-27922
Pillow vulnerability CVE-2021-27922: Pillow before 8.1.2 can trigger excessive memory allocation when processing ICNS containers because the reported image size isn’t properly checked. This memory DoS is the explicit impact described in multiple sources (e.g., Astra Linux advisory referencing Pil...
CVE-2021-25291
Pillow before 8.1.1 is affected by an out-of-bounds read in TiffDecode.c (TiffreadRGBATile) due to invalid tile boundaries. Root cause: boundary handling in TiffreadRGBATile as reported for CVE-2021-25291. According to linked advisories and release notes, remediation is to upgrade to Pillow 8.1.1...
CVE-2021-25292
Pillow (Python Imaging Library fork) prior to 8.1.1 is affected by a vulnerability in its PDF format parser that allows a regular expression DoS (ReDoS) via a crafted PDF file due to a catastrophic backtracking regex. This can impact availability as indicated by the CVSS vector in the CVE entry, ...
CVE-2022-22815
Summary (supported by provided docs): CVE-2022-22815 concerns the Pillow Python imaging library. The issue is in path_getbbox() within path.c where ImagePath.Path is improperly initialized, enabling a buffer over-read/improper initialization that can cause memory access errors or crashes. Connect...
CVE-2022-22816
CVE-2022-22816 affects Pillow’s image path handling. The vulnerability is a buffer over-read in path_getbbox() inside path.c during initialization of ImagePath.Path, present in Pillow versions before 9.0.0. The flaw can allow reading memory outside the intended bounds. The issue is mitigated by u...
CVE-2021-27921
CVE-2021-27921 concerns Pillow (Python Imaging Library). Affected: Pillow up to 8.1.1/8.1.2 before 8.1.2. Issue: memory-allocating DoS due to the reported size of a contained image not being properly checked for BLP containers, allowing a very large allocation. Impact: potential denial of service...
CVE-2021-27923
CVE-2021-27923 affects Pillow up to 8.1.1. It causes a denial-of-service via memory exhaustion because the reported size of a contained image is not properly checked for an ICO container, potentially triggering a very large memory allocation. Root cause: inadequate validation of ICO container ima...
CVE-2019-19911
Summary (CVE-2019-19911) : Pillow before 6.2.2 contains a DoS vulnerability in FpxImagePlugin.py where range() is applied to an unvalidated 32‑bit integer when the number of bands is large. On 32‑bit Windows Python this can trigger OverflowError or MemoryError due to the 2 GB limit; on 64‑bit Lin...
CVE-2021-23437
CVE-2021-23437 affects Pillow (Python Imaging Library): the getrgb function is vulnerable to a regular expression denial-of-service (ReDoS). Affected versions include 5.2.0 and earlier than 8.3.2. The issue can cause partial availability impact. The CVSS base score is 7.5 (HIGH) per NVD. Remediat...
CVE-2020-35655
Pillow (before 8.1.0) contains a vulnerability in SGIRleDecode: a 4‑byte buffer over-read while decoding crafted SGI RLE images caused by mishandled offsets and length tables.
CVE-2021-25289
CVE-2021-25289 affects Pillow before 8.1.1. The issue is a heap-based buffer overflow in TiffDecode when decoding crafted YCbCr files, triggered by interpretation conflicts with LibTIFF in RGBA mode. This stems from an incomplete fix for CVE-2020-35654. The CVE is documented with high severity (C...
CVE-2020-10177
CVE-2020-10177 affects Pillow prior to 7.1.0, with multiple out-of-bounds reads in libImaging/FliDecode.c. Technical details across connected advisories confirm affected package is python-pillow and fixes are provided in Pillow 7.1.0+ (e.g., ALAS-2024-2648, ALAS2 advisories; Mageia notes referenc...
CVE-2020-35654
Pillow CVE-2020-35654 affects TiffDecode: heap-based buffer overflow when decoding crafted YCbCr files due to interpretation conflicts with LibTIFF in RGBA mode. Affected versions are Pillow before 8.1.0 (and related notes indicate an incomplete fix extending to 8.1.1 per downstream advisories). ...
CVE-2021-28677
CVE-2021-28677 affects Pillow before 8.2.0. The EPSImageFile.readline implementation mishandles line endings (combination of \r and \n) using a quadratic accumulation method, enabling a DoS during the open phase before an image is opened. Connected sources reference Pillow’s fix in 8.2.0 and note...
CVE-2022-24303
Pillow (Python Imaging Library fork) is affected by CVE-2022-24303. The vulnerability arises in Pillow’s handling of spaces in temporary pathnames, enabling an attacker to delete files through path traversal-like behavior. This impacts Pillow versions before 9.0.1. The documented consequence is f...
CVE-2023-44271
CVE-2023-44271 affects Pillow prior to 10.0.0, causing Denial of Service via uncontrolled memory allocation when using long text inputs in ImageDraw.textlength for truetype fonts. Multiple advisories (Debian, AlmaLinux/ALAS, Amazon Linux, CentOS/RHEL, Fedora) reference this vulnerability and reco...
CVE-2021-25287
Pillow CVE-2021-25287 affects the Python Pillow library prior to 8.2.0, with an out-of-bounds read in J2kDecode (function: j2ku_graya_la). The related CVE-2021-25288 affects J2kDecode in j2ku_gray_i. Public advisories and CNVD entries corroborate the out-of-bounds read in these JPEG 2000 decoding...
CVE-2021-28676
CVE-2021-28676 affects Pillow prior to 8.2.0. The flaw is in FLI data handling where FliDecode did not properly check that the block advance is non-zero, which can lead to an infinite loop while loading. This is documented across multiple sources (e.g., Pillow release notes, advisories) as a load...
CVE-2021-25288
Pillow CVE-2021-25288 is an out-of-bounds read vulnerability in the J2kDecode path (j2ku_gray_i) affecting Pillow before 8.2.0. Multiple sources confirm the flaw; remediation is to upgrade to Pillow 8.2.0 or later. Exploitation details are not provided in the supplied documents.
CVE-2021-28675
The CVE-2021-28675 issue affects Pillow (before 8.2.0). PSDImagePlugin.PsdImageFile does not perform a sanity check on the number of input layers relative to the data block size, enabling a potential Denial of Service when opening images with Image.open (prior to Image.load). Connected documents ...
CVE-2016-2533
CVE-2016-2533 affects Pillow and PIL prior to versions that fix the ImagingPcdDecode function in PcdDecode.c. A crafted PhotoCD file can cause a remote denial of service (crash) due to a buffer overflow in Pillow before 3.1.1 and PIL 1.1.7 and earlier. In all connected sources, the vulnerability ...
CVE-2021-28678
CVE-2021-28678 affects Pillow prior to 8.2.0, where the BlpImagePlugin for BLP data failed to properly validate reads after seeking to file offsets. This can allow a denial-of-service by repeatedly decoding on empty data. Root cause: insufficient checks on data returned by reads in BlpImagePlugin...
CVE-2016-0775
Pillow (Python Imaging Library fork) contains a buffer overflow in ImagingFliDecode (libImaging/FliDecode.c) that affects versions before 3.1.1. A crafted FLI file can crash the process (DoS) or, per some sources, enable arbitrary code execution in affected contexts. The issue is documented acros...
CVE-2020-11538
CVE-2020-11538 affects Pillow up to 7.0.0, with out-of-bounds reads in SGI image parsing (libImaging/SgiRleDecode.c). Connected sources confirm Pillow as the impacted product and outline the vulnerability class, but do not provide exploit details. The fix is in Pillow 7.1.0 and later; remediation...
CVE-2016-9189
CVE-2016-9189 concerns Pillow (Python Imaging Library fork). Affected: Pillow versions before 3.3.2. Root cause: integer overflow in Image.core.map_buffer within map.c that can be exploited via crafted image files. Impact: information disclosure (partial confidentiality) per CVSS data; local expl...
CVE-2016-9190
Pillow (Python Imaging Library) prior to version 3.3.2 is affected by CVE-2016-9190. The bug arises from an Insecure Sign Extension issue in ImagingNew within Storage.c, enabling context-dependent attackers to achieve arbitrary code execution via a crafted image file. Affected versions are Pillow...
CVE-2016-0740
Pillow vulnerability CVE-2016-0740: Buffer overflow in ImagingLibTiffDecode (libImaging/TiffDecode.c) allows remote attackers to overwrite memory via a crafted TIFF file. Affected software: Pillow prior to 3.1.1. Impact is memory corruption; exploitation requires processing a malformed TIFF. Reme...
CVE-2020-10378
In Pillow, CVE-2020-10378 is an out-of-bounds read in the PCX decoding path. Specifically, in libImaging/PcxDecode.c, when reading PCX files, state->shuffle may be instructed to read beyond state->buffer, enabling an out-of-bounds access. This vulnerability is documented for Pillow releases...
CVE-2020-10994
CVE-2020-10994 affects Pillow, specifically in libImaging/Jpeg2KDecode.c. The vulnerability consists of multiple out-of-bounds reads when decoding JP2 files, as described in the CVE entry and corroborated by connected advisories. Affected versions are Pillow before 7.1.0; remediation is to upgrad...
CVE-2020-10379
Summary: CVE-2020-10379 affects Pillow prior to 7.1.0, with two Buffer Overflows in libImaging/TiffDecode.c. This is documented in the CVE as a vulnerability with partial confidentiality, integrity, and availability impact (CVSS v3.1: 7.8, LOCAL, UI REQUIRED; CVSS v2: 6.8). The initial descriptio...
CVE-2022-45198
CVE-2022-45198 affects Pillow up to version 9.2.0, where improper handling of highly compressed GIF data (Data Amplification) can cause abnormal resource usage. Public sources confirm Pillow prior to 9.2.0 is vulnerable; advisories reference upgrades to mitigate. Debian LTS notes Pillow updates (...
CVE-2022-45199
CVE-2022-45199 affects the Python Pillow library. According to connected sources, Pillow versions before 9.3.0 are vulnerable to denial of service via the SAMPLESPERPIXEL pathway, with exploitation potentially impacting availability. The CVE is associated with a base score of 7.5 ( HIGH ) under N...
CVE-2025-48379
CVE-2025-48379 (Pillow) Vulnerability: Pillow (Python imaging library) versions 11.2.0 through before 11.3.0 contain a heap buffer overflow when saving large (>64k) images in DDS format, caused by writing into a buffer without checking available space. The issue affects users who save untruste...
CVE-2022-30595
CVE-2022-30595 affects Pillow (Python Pillow library) v9.1.0, where libImaging/TgaRleDecode.c can trigger a heap-based buffer overflow when processing invalid TGA files. This is caused by improper handling in TgaRleDecode, with some sources describing potential remote code execution if exploited....
CVE-2014-1932
CVE-2014-1932 affects Python Imaging Library (PIL) 1.1.7 and earlier and Pillow prior to 2.3.1. The vulnerability is caused by improper creation of temporary files in PIL components (DJPEG in JpegImagePlugin.py, Ghostscript in EpsImagePlugin.py, load in IptcImagePlugin.py, and _copy in Image.py),...
CVE-2016-4009
CVE-2016-4009 affects Pillow (PIL fork): an integer overflow in ImagingResampleHorizontal (libImaging/Resample.c) for Pillow before 3.1.1 allows remote attackers to trigger a heap-based buffer overflow by supplying negative values for the new size. This yields a potential crash or other memory co...
CVE-2014-9601
CVE-2014-9601 affects the Pillow library (Python Imaging Library) prior to 2.7.0. A crafted PNG image containing a large compressed text chunk can cause a denial of service when decompressed, due to resource exhaustion. The connected advisories and entries (e.g., Pillow 2.7.0 release notes and re...
CVE-2014-3589
CVE-2014-3589 affects PIL/Pillow’s IcnsImagePlugin.py: Pillow and PIL before 2.3.2 and 2.5.x before 2.5.2 are vulnerable to a denial-of-service via a crafted block size. The root cause is an issue in image handling that allows remote attackers to trigger resource exhaustion. Affected products inc...