VYPR

Pillow

by Python (programming language)

pypi: pillow

Source repositories

CVEs (19)

  • CVE-2016-4009CriApr 13, 2016
    risk 0.57cvss 9.8epss 0.08

    Integer overflow in the ImagingResampleHorizontal function in libImaging/Resample.c in Pillow before 3.1.1 allows remote attackers to have unspecified impact via negative values of the new size, which triggers a heap-based buffer overflow.

  • CVE-2016-9190HigNov 4, 2016
    risk 0.51cvss 7.8epss 0.02

    Pillow before 3.3.2 allows context-dependent attackers to execute arbitrary code by using the "crafted image file" approach, related to an "Insecure Sign Extension" issue affecting the ImagingNew in Storage.c component.

  • CVE-2026-42311HigMay 9, 2026
    risk 0.44cvss 7.8epss 0.00

    Pillow is a Python imaging library. From version 10.3.0 to before version 12.2.0, processing a malicious PSD file could lead to memory corruption, potentially resulting in a crash or arbitrary code execution. This issue has been patched in version 12.2.0.

  • CVE-2026-40192HigApr 15, 2026
    risk 0.42cvss 7.5epss 0.00

    Pillow is a Python imaging library. Versions 10.3.0 through 12.1.1 did not limit the amount of GZIP-compressed data read when decoding a FITS image, making them vulnerable to decompression bomb attacks. A specially crafted FITS file could cause unbounded memory consumption,…

  • CVE-2026-25990HigFeb 11, 2026
    risk 0.42cvss 7.5epss 0.00

    Pillow is a Python imaging library. From 10.3.0 to before 12.1.1, an out-of-bounds write may be triggered when loading a specially crafted PSD image. This vulnerability is fixed in 12.1.1.

  • CVE-2016-3076MedApr 24, 2017
    risk 0.36cvss 5.5epss 0.03

    Heap-based buffer overflow in the j2k_encode_entry function in Pillow 2.5.0 through 3.1.1 allows remote attackers to cause a denial of service (memory corruption) via a crafted Jpeg2000 file.

  • CVE-2016-9189MedNov 4, 2016
    risk 0.36cvss 5.5epss 0.02

    Pillow before 3.3.2 allows context-dependent attackers to obtain sensitive information by using the "crafted image file" approach, related to an "Integer Overflow" issue affecting the Image.core.map_buffer in map.c component.

  • CVE-2016-2533MedApr 13, 2016
    risk 0.36cvss 6.5epss 0.04

    Buffer overflow in the ImagingPcdDecode function in PcdDecode.c in Pillow before 3.1.1 and Python Imaging Library (PIL) 1.1.7 and earlier allows remote attackers to cause a denial of service (crash) via a crafted PhotoCD file.

  • CVE-2016-0775MedApr 13, 2016
    risk 0.35cvss 6.5epss 0.03

    Buffer overflow in the ImagingFliDecode function in libImaging/FliDecode.c in Pillow before 3.1.1 allows remote attackers to cause a denial of service (crash) via a crafted FLI file.

  • CVE-2016-0740MedApr 13, 2016
    risk 0.35cvss 6.5epss 0.02

    Buffer overflow in the ImagingLibTiffDecode function in libImaging/TiffDecode.c in Pillow before 3.1.1 allows remote attackers to overwrite memory via a crafted TIFF file.

  • CVE-2026-42310MedMay 9, 2026
    risk 0.29cvss 5.5epss 0.00

    Pillow is a Python imaging library. From version 4.2.0 to before version 12.2.0, an attacker can supply a malicious PDF that causes the process to hang indefinitely, consuming 100% CPU and making the application unresponsive. This issue has been patched in version 12.2.0.

  • CVE-2026-42309MedMay 9, 2026
    risk 0.29cvss 5.5epss 0.00

    Pillow is a Python imaging library. From version 11.2.1 to before version 12.2.0, passing nested lists as coordinates to APIs that accept coordinates such as ImagePath.Path, ImageDraw.ImageDraw.polygon and ImageDraw.ImageDraw.line could cause a heap buffer overflow, as nested…

  • CVE-2026-42308MedMay 9, 2026
    risk 0.29cvss 5.5epss 0.00

    Pillow is a Python imaging library. Prior to version 12.2.0, if a font advances for each glyph by an exceeding large amount, when Pillow keeps track of the current position, it may lead to an integer overflow. This issue has been patched in version 12.2.0.

  • CVE-2014-3007Apr 27, 2014
    risk 0.01cvss epss 0.12

    Python Image Library (PIL) 1.1.7 and earlier and Pillow 2.3 might allow remote attackers to execute arbitrary commands via shell metacharacters in unspecified vectors related to CVE-2014-1932, possibly JpegImagePlugin.py.

  • CVE-2014-3598May 1, 2015
    risk 0.00cvss epss 0.02

    The Jpeg2KImagePlugin plugin in Pillow before 2.5.3 allows remote attackers to cause a denial of service via a crafted image.

  • CVE-2014-9601Jan 16, 2015
    risk 0.00cvss epss 0.05

    Pillow before 2.7.0 allows remote attackers to cause a denial of service via a compressed text chunk in a PNG image that has a large size when it is decompressed.

  • CVE-2014-3589Aug 25, 2014
    risk 0.00cvss epss 0.04

    PIL/IcnsImagePlugin.py in Python Imaging Library (PIL) and Pillow before 2.3.2 and 2.5.x before 2.5.2 allows remote attackers to cause a denial of service via a crafted block size.

  • CVE-2014-1933Apr 17, 2014
    risk 0.00cvss epss 0.00

    The (1) JpegImagePlugin.py and (2) EpsImagePlugin.py scripts in Python Image Library (PIL) 1.1.7 and earlier and Pillow before 2.3.1 uses the names of temporary files on the command line, which makes it easier for local users to conduct symlink attacks by listing the processes.

  • CVE-2014-1932Apr 17, 2014
    risk 0.00cvss epss 0.00

    The (1) load_djpeg function in JpegImagePlugin.py, (2) Ghostscript function in EpsImagePlugin.py, (3) load function in IptcImagePlugin.py, and (4) _copy function in Image.py in Python Image Library (PIL) 1.1.7 and earlier and Pillow before 2.3.1 do not properly create temporary…