Unrated severityNVD Advisory· Published Jul 7, 2026
Debian pillow: Pillow is a Python imaging library. Prior to 12.3.0, WindowsViewer.get_command()…
CVE-2026-55798
Description
Pillow is a Python imaging library. Prior to 12.3.0, WindowsViewer.get_command() constructed a cmd.exe shell command by directly embedding a file path into an f-string without escaping and passed the result to subprocess.Popen(..., shell=True), allowing shell metacharacters in the file path to inject arbitrary cmd.exe commands. This issue is fixed in version 12.3.0.
Affected products
1Patches
Vulnerability mechanics
News mentions
0No linked articles in our index yet.