High severity7.5NVD Advisory· Published Feb 11, 2026· Updated Apr 30, 2026
CVE-2026-25990
CVE-2026-25990
Description
Pillow is a Python imaging library. From 10.3.0 to before 12.1.1, an out-of-bounds write may be triggered when loading a specially crafted PSD image. This vulnerability is fixed in 12.1.1.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
pillowPyPI | >= 10.3.0, < 12.1.1 | 12.1.1 |
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
8- www.openwall.com/lists/oss-security/2026/02/12/1nvdMailing ListPatchThird Party Advisory
- github.com/python-pillow/Pillow/commit/9000313cc5d4a31bdcdd6d7f0781101abab553aanvdPatchWEB
- github.com/advisories/GHSA-cfh3-3jmp-rvhcghsaADVISORY
- github.com/python-pillow/Pillow/security/advisories/GHSA-cfh3-3jmp-rvhcnvdVendor AdvisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2026-25990ghsaADVISORY
- github.com/python-pillow/Pillow/commit/54ba4db542ad3c7b918812a4e2d69c27735a3199ghsaWEB
- github.com/python-pillow/Pillow/pull/9427ghsaWEB
- pillow.readthedocs.io/en/stable/releasenotes/12.1.1.htmlghsaWEB
News mentions
0No linked articles in our index yet.