Medium severity5.5GHSA Advisory· Published May 9, 2026· Updated May 12, 2026

CVE-2026-42309

Description

Pillow is a Python imaging library. From version 11.2.1 to before version 12.2.0, passing nested lists as coordinates to APIs that accept coordinates such as ImagePath.Path, ImageDraw.ImageDraw.polygon and ImageDraw.ImageDraw.line could cause a heap buffer overflow, as nested lists were recursively unpacked beyond the allocated buffer. Coordinate lists are now validated to contain exactly two numeric coordinates. This issue has been patched in version 12.2.0.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
pillowPyPI	>= 11.2.1, < 12.2.0	12.2.0

Affected products

Python Pillow/PillowGHSA
Range: >= 11.2.1, < 12.2.0
Python (programming language)/Pillow
cpe:2.3:a:python:pillow:*:*:*:*:*:*:*:*
Range: >=11.2.1,<12.2.0

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/advisories/GHSA-5xmw-vc9v-4wf2ghsaADVISORY
github.com/python-pillow/Pillow/security/advisories/GHSA-5xmw-vc9v-4wf2nvdVendor AdvisoryWEB
nvd.nist.gov/vuln/detail/CVE-2026-42309ghsaADVISORY
github.com/python-pillow/Pillow/releases/tag/12.2.0nvdProductRelease NotesWEB

News mentions

No linked articles in our index yet.

cvss	0.358
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000