This page lists publicly disclosed CVE vulnerabilities affecting python pillow (linked via NVD CPE). Each row includes severity scores, summaries, and publication dates to help identify and analyze security issues.
| CVE | Summary | Source | Max CVSS | EPSS % | Published | Updated |
|---|---|---|---|---|---|---|
| CVE-2026-42311 | Pillow is a Python imaging library. From version 10.3.0 to before version 12.2.0, processing a malicious PSD file could lead to memory corruption, potentially resulting in a crash or arbitrary code execution. This issue has been patched in version 12.2.0. | [email protected] | 8.6 | 0.15% | 2026-05-09 | 2026-06-17 |
| CVE-2026-42310 | Pillow is a Python imaging library. From version 4.2.0 to before version 12.2.0, an attacker can supply a malicious PDF that causes the process to hang indefinitely, consuming 100% CPU and making the application unresponsive. This issue has been patched in version 12.2.0. | [email protected] | 5.1 | 0.13% | 2026-05-09 | 2026-06-17 |
| CVE-2026-42309 | Pillow is a Python imaging library. From version 11.2.1 to before version 12.2.0, passing nested lists as coordinates to APIs that accept coordinates such as ImagePath.Path, ImageDraw.ImageDraw.polygon and ImageDraw.ImageDraw.line could cause a heap buffer overflow, as nested lists were recursively unpacked beyond the allocated buffer. Coordinate lists are now validated to contain exactly two numeric coordinates. This issue has been patched in version 12.2.0. | [email protected] | 5.1 | 0.13% | 2026-05-09 | 2026-06-17 |
| CVE-2026-42308 | Pillow is a Python imaging library. Prior to version 12.2.0, if a font advances for each glyph by an exceeding large amount, when Pillow keeps track of the current position, it may lead to an integer overflow. This issue has been patched in version 12.2.0. | [email protected] | 5.1 | 0.11% | 2026-05-09 | 2026-06-17 |
| CVE-2026-40192 | Pillow is a Python imaging library. Versions 10.3.0 through 12.1.1 did not limit the amount of GZIP-compressed data read when decoding a FITS image, making them vulnerable to decompression bomb attacks. A specially crafted FITS file could cause unbounded memory consumption, leading to denial of service (OOM crash or severe performance degradation). If users are unable to immediately upgrade, they should only open specific image formats, excluding FITS, as a workaround. | [email protected] | 8.7 | 0.48% | 2026-04-15 | 2026-06-17 |
| CVE-2026-25990 | Pillow is a Python imaging library. From 10.3.0 to before 12.1.1, an out-of-bounds write may be triggered when loading a specially crafted PSD image. This vulnerability is fixed in 12.1.1. | [email protected] | 8.6 | 0.37% | 2026-02-11 | 2026-06-17 |
| CVE-2025-48379 | Pillow is a Python imaging library. In versions 11.2.0 to before 11.3.0, there is a heap buffer overflow when writing a sufficiently large (>64k encoded with default settings) image in the DDS format due to writing into a buffer without checking for available space. This only affects users who save untrusted data as a compressed DDS image. This issue has been patched in version 11.3.0. | [email protected] | 7.1 | 0.26% | 2025-07-01 | 2026-06-17 |
| CVE-2024-28219 | In _imagingcms.c in Pillow before 10.3.0, a buffer overflow exists because strcpy is used instead of strncpy. | [email protected] | 6.7 | 0.99% | 2024-04-02 | 2026-06-17 |
| CVE-2023-50447 | Pillow through 10.1.0 allows PIL.ImageMath.eval Arbitrary Code Execution via the environment parameter, a different vulnerability than CVE-2022-22817 (which was about the expression parameter). | [email protected] | 8.1 | 1.70% | 2024-01-19 | 2026-06-17 |
| CVE-2023-44271 | An issue was discovered in Pillow before 10.0.0. It is a Denial of Service that uncontrollably allocates memory to process a given task, potentially causing a service to crash by having it run out of memory. This occurs for truetype in ImageFont when textlength in an ImageDraw instance operates on a long text argument. | [email protected] | 7.5 | 1.04% | 2023-11-03 | 2026-06-17 |
| CVE-2022-45199 | Pillow before 9.3.0 allows denial of service via SAMPLESPERPIXEL. | [email protected] | 7.5 | 1.10% | 2022-11-14 | 2026-06-17 |
| CVE-2022-45198 | Pillow before 9.2.0 performs Improper Handling of Highly Compressed GIF Data (Data Amplification). | [email protected] | 7.5 | 1.19% | 2022-11-14 | 2026-06-17 |
| CVE-2022-30595 | libImaging/TgaRleDecode.c in Pillow 9.1.0 has a heap buffer overflow in the processing of invalid TGA image files. | [email protected] | 9.8 | 1.92% | 2022-05-25 | 2026-06-17 |
| CVE-2022-24303 | Pillow before 9.0.1 allows attackers to delete files because spaces in temporary pathnames are mishandled. | [email protected] | 9.1 | 2.73% | 2022-03-27 | 2026-06-17 |
| CVE-2022-22817 | PIL.ImageMath.eval in Pillow before 9.0.0 allows evaluation of arbitrary expressions, such as ones that use the Python exec method. A lambda expression could also be used. | [email protected] | 9.8 | 3.40% | 2022-01-10 | 2026-06-17 |
| CVE-2022-22816 | path_getbbox in path.c in Pillow before 9.0.0 has a buffer over-read during initialization of ImagePath.Path. | [email protected] | 6.5 | 1.96% | 2022-01-10 | 2026-06-17 |
| CVE-2022-22815 | path_getbbox in path.c in Pillow before 9.0.0 improperly initializes ImagePath.Path. | [email protected] | 6.5 | 2.56% | 2022-01-10 | 2026-06-17 |
| CVE-2021-23437 | The package pillow 5.2.0 and before 8.3.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the getrgb function. | [email protected] | 7.5 | 2.88% | 2021-09-03 | 2026-06-16 |
| CVE-2021-34552 | Pillow through 8.2.0 and PIL (aka Python Imaging Library) through 1.1.7 allow an attacker to pass controlled parameters directly into a convert function to trigger a buffer overflow in Convert.c. | [email protected] | 9.8 | 3.16% | 2021-07-13 | 2026-06-16 |
| CVE-2021-28678 | An issue was discovered in Pillow before 8.2.0. For BLP data, BlpImagePlugin did not properly check that reads (after jumping to file offsets) returned data. This could lead to a DoS where the decoder could be run a large number of times on empty data. | [email protected] | 5.5 | 0.73% | 2021-06-02 | 2026-06-16 |