Fluid Attacks Database

Description

Pillow is a Python imaging library. From 10.3.0 to before 12.1.1, an out-of-bounds write may be triggered when loading a specially crafted PSD image. This vulnerability is fixed in 12.1.1.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
pypi	pillow	>=10.3.0 <12.1.1	12.1.1
debian 13	pillow	=11.1.0-5 \|\| >=0 <11.1.0-5+deb13u1	11.1.0-5+deb13u1
debian 14	pillow	=11.1.0-5 \|\| =11.2.1-1 \|\| =11.3.0-1 \|\| =12.0.0-1 \|\| =12.1.0-1 \|\| >=0 <12.1.1-1	12.1.1-1

Aliases

1. CVE-2026-259902. NVD-2026-259903. OSV-2026-259904. OSV-DEBIAN-2026-259905. GHSA-cfh3-3jmp-rvhc6. GCVE-2026-259907. SECURITY-TRACKER-CVE-2026-25990

References

1. https://github.com/python-pillow/Pillow/security/advisories/GHSA-cfh3-3jmp-rvhc2. https://github.com/python-pillow/Pillow/pull/94273. https://github.com/python-pillow/Pillow/commit/54ba4db542ad3c7b918812a4e2d69c27735a31994. https://github.com/python-pillow/Pillow/commit/9000313cc5d4a31bdcdd6d7f0781101abab553aa5. https://pillow.readthedocs.io/en/stable/releasenotes/12.1.1.html

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.