High severity7.5NVD Advisory· Published Feb 11, 2026· Updated Apr 30, 2026
CVE-2026-25990
CVE-2026-25990
Description
Pillow is a Python imaging library. From 10.3.0 to before 12.1.1, an out-of-bounds write may be triggered when loading a specially crafted PSD image. This vulnerability is fixed in 12.1.1.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
pillowPyPI | >= 10.3.0, < 12.1.1 | 12.1.1 |
Affected products
29- osv-coords28 versionspkg:apk/chainguard/kubeflow-pipelines-visualization-serverpkg:apk/chainguard/label-studiopkg:apk/chainguard/litellmpkg:apk/chainguard/mlflowpkg:apk/chainguard/mlflow-iamguarded-compatpkg:apk/chainguard/pgadmin4pkg:apk/chainguard/pgadmin4-fipspkg:apk/chainguard/py3.10-vllm-cuda-12.4pkg:apk/chainguard/py3.11-text-generation-inferencepkg:apk/chainguard/py3.12-vllm-cuda-12.4pkg:apk/chainguard/superset-5.0pkg:apk/chainguard/superset-6.0pkg:apk/chainguard/tensorflow-cpu-jupyterpkg:apk/chainguard/tensorflow-gpu-jupyterpkg:apk/chainguard/tritonserver-backend-vllm-cuda-12.9pkg:apk/chainguard/vllm-openai-cuda-12.9pkg:apk/wolfi/kubeflow-pipelines-visualization-serverpkg:apk/wolfi/mlflowpkg:apk/wolfi/mlflow-iamguarded-compatpkg:apk/wolfi/superset-5.0pkg:apk/wolfi/superset-6.0pkg:apk/wolfi/tensorflow-cpu-jupyterpkg:bitnami/pillowpkg:pypi/pillowpkg:rpm/opensuse/python-Pillow&distro=openSUSE%20Leap%2016.0pkg:rpm/opensuse/python-Pillow&distro=openSUSE%20Tumbleweedpkg:rpm/suse/python-Pillow&distro=SUSE%20Linux%20Enterprise%20Server%2016.0pkg:rpm/suse/python-Pillow&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20applications%2016.0
< 2.15.0-r5+ 27 more
- (no CPE)range: < 2.15.0-r5
- (no CPE)range: < 1.22.0-r4
- (no CPE)range: < 1.81.12.1-r0
- (no CPE)range: < 3.9.0-r1
- (no CPE)range: < 3.9.0-r1
- (no CPE)range: < 9.12-r1
- (no CPE)range: < 9.12-r1
- (no CPE)range: < 0.16.0-r0
- (no CPE)range: < 3.3.7-r7
- (no CPE)range: < 0.16.0-r0
- (no CPE)range: < 5.0.0-r17
- (no CPE)range: < 6.0.0-r2
- (no CPE)range: < 2.20.0-r11
- (no CPE)range: < 2.20.0-r10
- (no CPE)range: < 25.9.0_git20251112-r7
- (no CPE)range: < 0.15.1-r0
- (no CPE)range: < 2.15.0-r5
- (no CPE)range: < 3.9.0-r1
- (no CPE)range: < 3.9.0-r1
- (no CPE)range: < 5.0.0-r17
- (no CPE)range: < 6.0.0-r2
- (no CPE)range: < 2.20.0-r11
- (no CPE)range: >= 10.3.0, < 12.1.1
- (no CPE)range: >= 10.3.0, < 12.1.1
- (no CPE)range: < 11.3.0-160000.3.1
- (no CPE)range: < 12.1.1-1.1
- (no CPE)range: < 11.3.0-160000.3.1
- (no CPE)range: < 11.3.0-160000.3.1
Patches
Vulnerability mechanics
References
8- www.openwall.com/lists/oss-security/2026/02/12/1nvdMailing ListPatchThird Party Advisory
- github.com/python-pillow/Pillow/commit/9000313cc5d4a31bdcdd6d7f0781101abab553aanvdPatchWEB
- github.com/advisories/GHSA-cfh3-3jmp-rvhcghsaADVISORY
- github.com/python-pillow/Pillow/security/advisories/GHSA-cfh3-3jmp-rvhcnvdVendor AdvisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2026-25990ghsaADVISORY
- github.com/python-pillow/Pillow/commit/54ba4db542ad3c7b918812a4e2d69c27735a3199ghsaWEB
- github.com/python-pillow/Pillow/pull/9427ghsaWEB
- pillow.readthedocs.io/en/stable/releasenotes/12.1.1.htmlghsaWEB
News mentions
0No linked articles in our index yet.