python pillow CVE 漏洞(65)

CVE 数: 65 CPE versions: View versions table

摘要

本页列出影响 python pillow 的已公开 CVE 漏洞(通过 NVD CPE 关联)。每行包含严重程度评分、摘要与发布日期,便于识别与分析安全问题。

显示 12065 CVE 数
«« 第一页 « 上一页 第 1 / 4 页 下一页 »
CVE 摘要 来源 最高 CVSS EPSS % 公开时间 更新时间
CVE-2026-55798 Pillow is a Python imaging library. Prior to 12.3.0, WindowsViewer.get_command() constructed a cmd.exe shell command by directly embedding a file path into an f-string without escaping and passed the result to subprocess.Popen(..., shell=True), allowing shell metacharacters in the file path to inject arbitrary cmd.exe commands. This issue is fixed in version 12.3.0. [email protected] 4.5 0.12% 2026-07-06 2026-07-07
CVE-2026-55380 Pillow is a Python imaging library. Prior to 12.3.0, PIL/GdImageFile.py GdImageFile._open() read image dimensions from the GD 2.x header and stored them in self._size without calling Image._decompression_bomb_check(), allowing a crafted .gd file to trigger excessive C-heap allocation when loaded. This issue is fixed in version 12.3.0. [email protected] 7.5 0.34% 2026-07-06 2026-07-07
CVE-2026-55379 Pillow is a Python imaging library. Prior to 12.3.0, PIL/BdfFontFile.py bdf_char() read the BBX width and height field from a BDF font file and passed attacker-controlled dimensions to Image.new() without calling Image._decompression_bomb_check(), bypassing Pillow's documented decompression bomb protection and allowing excessive memory allocation. This issue is fixed in version 12.3.0. [email protected] 7.5 0.37% 2026-07-06 2026-07-07
CVE-2026-54060 Pillow is a Python imaging library. Prior to 12.3.0, PIL/FontFile.py FontFile.compile() assembled per-glyph images into a combined bitmap with Image.new("1", (xsize, ysize)) without calling Image._decompression_bomb_check(), allowing a font to trigger excessive allocation during conversion or saving. This issue is fixed in version 12.3.0. [email protected] 7.5 0.34% 2026-07-06 2026-07-07
CVE-2026-54059 Pillow is a Python imaging library. Prior to 12.3.0, PIL/PcfFontFile.py _load_bitmaps() read glyph dimensions from the PCF METRICS section and passed them directly to Image.frombytes() without calling Image._decompression_bomb_check(), allowing crafted PCF font data to cause excessive memory allocation. This issue is fixed in version 12.3.0. [email protected] 7.5 0.34% 2026-07-06 2026-07-07
CVE-2026-42311 Pillow is a Python imaging library. From version 10.3.0 to before version 12.2.0, processing a malicious PSD file could lead to memory corruption, potentially resulting in a crash or arbitrary code execution. This issue has been patched in version 12.2.0. [email protected] 8.6 0.15% 2026-05-09 2026-06-17
CVE-2026-42310 Pillow is a Python imaging library. From version 4.2.0 to before version 12.2.0, an attacker can supply a malicious PDF that causes the process to hang indefinitely, consuming 100% CPU and making the application unresponsive. This issue has been patched in version 12.2.0. [email protected] 5.1 0.13% 2026-05-09 2026-06-17
CVE-2026-42309 Pillow is a Python imaging library. From version 11.2.1 to before version 12.2.0, passing nested lists as coordinates to APIs that accept coordinates such as ImagePath.Path, ImageDraw.ImageDraw.polygon and ImageDraw.ImageDraw.line could cause a heap buffer overflow, as nested lists were recursively unpacked beyond the allocated buffer. Coordinate lists are now validated to contain exactly two numeric coordinates. This issue has been patched in version 12.2.0. [email protected] 5.1 0.13% 2026-05-09 2026-06-17
CVE-2026-42308 Pillow is a Python imaging library. Prior to version 12.2.0, if a font advances for each glyph by an exceeding large amount, when Pillow keeps track of the current position, it may lead to an integer overflow. This issue has been patched in version 12.2.0. [email protected] 5.1 0.11% 2026-05-09 2026-06-17
CVE-2026-40192 Pillow is a Python imaging library. Versions 10.3.0 through 12.1.1 did not limit the amount of GZIP-compressed data read when decoding a FITS image, making them vulnerable to decompression bomb attacks. A specially crafted FITS file could cause unbounded memory consumption, leading to denial of service (OOM crash or severe performance degradation). If users are unable to immediately upgrade, they should only open specific image formats, excluding FITS, as a workaround. [email protected] 8.7 0.67% 2026-04-15 2026-07-02
CVE-2026-25990 Pillow is a Python imaging library. From 10.3.0 to before 12.1.1, an out-of-bounds write may be triggered when loading a specially crafted PSD image. This vulnerability is fixed in 12.1.1. [email protected] 8.6 0.37% 2026-02-11 2026-07-01
CVE-2025-48379 Pillow is a Python imaging library. In versions 11.2.0 to before 11.3.0, there is a heap buffer overflow when writing a sufficiently large (>64k encoded with default settings) image in the DDS format due to writing into a buffer without checking for available space. This only affects users who save untrusted data as a compressed DDS image. This issue has been patched in version 11.3.0. [email protected] 7.1 0.26% 2025-07-01 2026-06-17
CVE-2024-28219 In _imagingcms.c in Pillow before 10.3.0, a buffer overflow exists because strcpy is used instead of strncpy. [email protected] 6.7 0.99% 2024-04-02 2026-06-17
CVE-2023-50447 Pillow through 10.1.0 allows PIL.ImageMath.eval Arbitrary Code Execution via the environment parameter, a different vulnerability than CVE-2022-22817 (which was about the expression parameter). [email protected] 8.1 1.70% 2024-01-19 2026-06-17
CVE-2023-44271 An issue was discovered in Pillow before 10.0.0. It is a Denial of Service that uncontrollably allocates memory to process a given task, potentially causing a service to crash by having it run out of memory. This occurs for truetype in ImageFont when textlength in an ImageDraw instance operates on a long text argument. [email protected] 7.5 1.04% 2023-11-03 2026-06-17
CVE-2022-45199 Pillow before 9.3.0 allows denial of service via SAMPLESPERPIXEL. [email protected] 7.5 1.10% 2022-11-14 2026-06-17
CVE-2022-45198 Pillow before 9.2.0 performs Improper Handling of Highly Compressed GIF Data (Data Amplification). [email protected] 7.5 1.19% 2022-11-14 2026-06-17
CVE-2022-30595 libImaging/TgaRleDecode.c in Pillow 9.1.0 has a heap buffer overflow in the processing of invalid TGA image files. [email protected] 9.8 1.92% 2022-05-25 2026-06-17
CVE-2022-24303 Pillow before 9.0.1 allows attackers to delete files because spaces in temporary pathnames are mishandled. [email protected] 9.1 2.81% 2022-03-27 2026-06-17
CVE-2022-22817 PIL.ImageMath.eval in Pillow before 9.0.0 allows evaluation of arbitrary expressions, such as ones that use the Python exec method. A lambda expression could also be used. [email protected] 9.8 3.40% 2022-01-10 2026-06-17
«« 第一页 « 上一页 第 1 / 4 页 下一页 »
cvelogic Threat Intelligence