Bitnami package
pillow
pkg:bitnami/pillow
Vulnerabilities (45)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-42311 | Hig | 7.8 | >= 10.3.0, < 12.2.0 | 12.2.0 | May 9, 2026 | Pillow is a Python imaging library. From version 10.3.0 to before version 12.2.0, processing a malicious PSD file could lead to memory corruption, potentially resulting in a crash or arbitrary code execution. This issue has been patched in version 12.2.0. | |
| CVE-2026-42310 | Med | 5.5 | >= 4.2.0, < 12.2.0 | 12.2.0 | May 9, 2026 | Pillow is a Python imaging library. From version 4.2.0 to before version 12.2.0, an attacker can supply a malicious PDF that causes the process to hang indefinitely, consuming 100% CPU and making the application unresponsive. This issue has been patched in version 12.2.0. | |
| CVE-2026-42309 | Med | 5.5 | >= 11.2.1, < 12.2.0 | 12.2.0 | May 9, 2026 | Pillow is a Python imaging library. From version 11.2.1 to before version 12.2.0, passing nested lists as coordinates to APIs that accept coordinates such as ImagePath.Path, ImageDraw.ImageDraw.polygon and ImageDraw.ImageDraw.line could cause a heap buffer overflow, as nested lis | |
| CVE-2026-42308 | Med | 5.5 | < 12.2.0 | 12.2.0 | May 9, 2026 | Pillow is a Python imaging library. Prior to version 12.2.0, if a font advances for each glyph by an exceeding large amount, when Pillow keeps track of the current position, it may lead to an integer overflow. This issue has been patched in version 12.2.0. | |
| CVE-2026-40192 | Hig | 7.5 | >= 10.3.0, < 12.2.0 | 12.2.0 | Apr 15, 2026 | Pillow is a Python imaging library. Versions 10.3.0 through 12.1.1 did not limit the amount of GZIP-compressed data read when decoding a FITS image, making them vulnerable to decompression bomb attacks. A specially crafted FITS file could cause unbounded memory consumption, leadi | |
| CVE-2026-25990 | Hig | 7.5 | >= 10.3.0, < 12.1.1 | 12.1.1 | Feb 11, 2026 | Pillow is a Python imaging library. From 10.3.0 to before 12.1.1, an out-of-bounds write may be triggered when loading a specially crafted PSD image. This vulnerability is fixed in 12.1.1. | |
| CVE-2025-48379 | — | >= 11.2.0 | — | Jul 1, 2025 | Pillow is a Python imaging library. In versions 11.2.0 to before 11.3.0, there is a heap buffer overflow when writing a sufficiently large (>64k encoded with default settings) image in the DDS format due to writing into a buffer without checking for available space. This only aff | ||
| CVE-2024-28219 | — | >= 0 | — | Apr 3, 2024 | In _imagingcms.c in Pillow before 10.3.0, a buffer overflow exists because strcpy is used instead of strncpy. | ||
| CVE-2023-50447 | — | < 10.1.1 | 10.1.1 | Jan 19, 2024 | Pillow through 10.1.0 allows PIL.ImageMath.eval Arbitrary Code Execution via the environment parameter, a different vulnerability than CVE-2022-22817 (which was about the expression parameter). | ||
| CVE-2023-44271 | — | < 10.0.0 | 10.0.0 | Nov 3, 2023 | An issue was discovered in Pillow before 10.0.0. It is a Denial of Service that uncontrollably allocates memory to process a given task, potentially causing a service to crash by having it run out of memory. This occurs for truetype in ImageFont when textlength in an ImageDraw in | ||
| CVE-2022-45199 | — | < 9.3.0 | 9.3.0 | Nov 14, 2022 | Pillow before 9.3.0 allows denial of service via SAMPLESPERPIXEL. | ||
| CVE-2022-45198 | — | < 9.2.0 | 9.2.0 | Nov 14, 2022 | Pillow before 9.2.0 performs Improper Handling of Highly Compressed GIF Data (Data Amplification). | ||
| CVE-2022-30595 | — | >= 9.1.0, < 9.1.1 | 9.1.1 | May 25, 2022 | libImaging/TgaRleDecode.c in Pillow 9.1.0 has a heap buffer overflow in the processing of invalid TGA image files. | ||
| CVE-2022-24303 | — | < 9.0.1 | 9.0.1 | Mar 28, 2022 | Pillow before 9.0.1 allows attackers to delete files because spaces in temporary pathnames are mishandled. | ||
| CVE-2022-22817 | — | < 9.0.1 | 9.0.1 | Jan 7, 2022 | PIL.ImageMath.eval in Pillow before 9.0.0 allows evaluation of arbitrary expressions, such as ones that use the Python exec method. A lambda expression could also be used. | ||
| CVE-2022-22816 | — | < 9.0.0 | 9.0.0 | Jan 7, 2022 | path_getbbox in path.c in Pillow before 9.0.0 has a buffer over-read during initialization of ImagePath.Path. | ||
| CVE-2022-22815 | — | < 9.0.0 | 9.0.0 | Jan 7, 2022 | path_getbbox in path.c in Pillow before 9.0.0 improperly initializes ImagePath.Path. | ||
| CVE-2021-23437 | — | >= 5.2.0, < 8.3.2 | 8.3.2 | Sep 3, 2021 | The package pillow 5.2.0 and before 8.3.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the getrgb function. | ||
| CVE-2021-34552 | — | >= 1.0.0, < 1.1.8 | 1.1.8 | Jul 13, 2021 | Pillow through 8.2.0 and PIL (aka Python Imaging Library) through 1.1.7 allow an attacker to pass controlled parameters directly into a convert function to trigger a buffer overflow in Convert.c. | ||
| CVE-2021-28677 | — | < 8.2.0 | 8.2.0 | Jun 2, 2021 | An issue was discovered in Pillow before 8.2.0. For EPS data, the readline implementation used in EPSImageFile has to deal with any combination of \r and \n as line endings. It used an accidentally quadratic method of accumulating lines while looking for a line ending. A maliciou |
- affected >= 10.3.0, < 12.2.0fixed 12.2.0
Pillow is a Python imaging library. From version 10.3.0 to before version 12.2.0, processing a malicious PSD file could lead to memory corruption, potentially resulting in a crash or arbitrary code execution. This issue has been patched in version 12.2.0.
- affected >= 4.2.0, < 12.2.0fixed 12.2.0
Pillow is a Python imaging library. From version 4.2.0 to before version 12.2.0, an attacker can supply a malicious PDF that causes the process to hang indefinitely, consuming 100% CPU and making the application unresponsive. This issue has been patched in version 12.2.0.
- affected >= 11.2.1, < 12.2.0fixed 12.2.0
Pillow is a Python imaging library. From version 11.2.1 to before version 12.2.0, passing nested lists as coordinates to APIs that accept coordinates such as ImagePath.Path, ImageDraw.ImageDraw.polygon and ImageDraw.ImageDraw.line could cause a heap buffer overflow, as nested lis
- affected < 12.2.0fixed 12.2.0
Pillow is a Python imaging library. Prior to version 12.2.0, if a font advances for each glyph by an exceeding large amount, when Pillow keeps track of the current position, it may lead to an integer overflow. This issue has been patched in version 12.2.0.
- affected >= 10.3.0, < 12.2.0fixed 12.2.0
Pillow is a Python imaging library. Versions 10.3.0 through 12.1.1 did not limit the amount of GZIP-compressed data read when decoding a FITS image, making them vulnerable to decompression bomb attacks. A specially crafted FITS file could cause unbounded memory consumption, leadi
- affected >= 10.3.0, < 12.1.1fixed 12.1.1
Pillow is a Python imaging library. From 10.3.0 to before 12.1.1, an out-of-bounds write may be triggered when loading a specially crafted PSD image. This vulnerability is fixed in 12.1.1.
- CVE-2025-48379Jul 1, 2025affected >= 11.2.0
Pillow is a Python imaging library. In versions 11.2.0 to before 11.3.0, there is a heap buffer overflow when writing a sufficiently large (>64k encoded with default settings) image in the DDS format due to writing into a buffer without checking for available space. This only aff
- CVE-2024-28219Apr 3, 2024affected >= 0
In _imagingcms.c in Pillow before 10.3.0, a buffer overflow exists because strcpy is used instead of strncpy.
- CVE-2023-50447Jan 19, 2024affected < 10.1.1fixed 10.1.1
Pillow through 10.1.0 allows PIL.ImageMath.eval Arbitrary Code Execution via the environment parameter, a different vulnerability than CVE-2022-22817 (which was about the expression parameter).
- CVE-2023-44271Nov 3, 2023affected < 10.0.0fixed 10.0.0
An issue was discovered in Pillow before 10.0.0. It is a Denial of Service that uncontrollably allocates memory to process a given task, potentially causing a service to crash by having it run out of memory. This occurs for truetype in ImageFont when textlength in an ImageDraw in
- CVE-2022-45199Nov 14, 2022affected < 9.3.0fixed 9.3.0
Pillow before 9.3.0 allows denial of service via SAMPLESPERPIXEL.
- CVE-2022-45198Nov 14, 2022affected < 9.2.0fixed 9.2.0
Pillow before 9.2.0 performs Improper Handling of Highly Compressed GIF Data (Data Amplification).
- CVE-2022-30595May 25, 2022affected >= 9.1.0, < 9.1.1fixed 9.1.1
libImaging/TgaRleDecode.c in Pillow 9.1.0 has a heap buffer overflow in the processing of invalid TGA image files.
- CVE-2022-24303Mar 28, 2022affected < 9.0.1fixed 9.0.1
Pillow before 9.0.1 allows attackers to delete files because spaces in temporary pathnames are mishandled.
- CVE-2022-22817Jan 7, 2022affected < 9.0.1fixed 9.0.1
PIL.ImageMath.eval in Pillow before 9.0.0 allows evaluation of arbitrary expressions, such as ones that use the Python exec method. A lambda expression could also be used.
- CVE-2022-22816Jan 7, 2022affected < 9.0.0fixed 9.0.0
path_getbbox in path.c in Pillow before 9.0.0 has a buffer over-read during initialization of ImagePath.Path.
- CVE-2022-22815Jan 7, 2022affected < 9.0.0fixed 9.0.0
path_getbbox in path.c in Pillow before 9.0.0 improperly initializes ImagePath.Path.
- CVE-2021-23437Sep 3, 2021affected >= 5.2.0, < 8.3.2fixed 8.3.2
The package pillow 5.2.0 and before 8.3.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the getrgb function.
- CVE-2021-34552Jul 13, 2021affected >= 1.0.0, < 1.1.8fixed 1.1.8
Pillow through 8.2.0 and PIL (aka Python Imaging Library) through 1.1.7 allow an attacker to pass controlled parameters directly into a convert function to trigger a buffer overflow in Convert.c.
- CVE-2021-28677Jun 2, 2021affected < 8.2.0fixed 8.2.0
An issue was discovered in Pillow before 8.2.0. For EPS data, the readline implementation used in EPSImageFile has to deal with any combination of \r and \n as line endings. It used an accidentally quadratic method of accumulating lines while looking for a line ending. A maliciou
Page 1 of 3