Python Pillow
18 CVEs affecting Python Pillow. Latest disclosed: 2026-05-09. Critical: 1, High: 3.
| CVE | Severity | Score | Published | Summary |
|---|---|---|---|---|
CVE-2016-4009 | Critical | 9.8 | 2016-04-13 | Integer overflow in the ImagingResampleHorizontal function in libImaging/Resample.c in Pillow before 3.1.1 allows remote attackers to have unspecified impact v… |
CVE-2026-42311 | High | 7.8 | 2026-05-09 | Pillow is a Python imaging library. From version 10.3.0 to before version 12.2.0, processing a malicious PSD file could lead to memory corruption, potentially… |
CVE-2016-9190 | High | 7.8 | 2016-11-04 | Pillow before 3.3.2 allows context-dependent attackers to execute arbitrary code by using the "crafted image file" approach, related to an "Insecure Sign Exten… |
CVE-2026-25990 | High | 7.5 | 2026-02-11 | Pillow is a Python imaging library. From 10.3.0 to before 12.1.1, an out-of-bounds write may be triggered when loading a specially crafted PSD image. This vuln… |
CVE-2016-2533 | Medium | 6.5 | 2016-04-13 | Buffer overflow in the ImagingPcdDecode function in PcdDecode.c in Pillow before 3.1.1 and Python Imaging Library (PIL) 1.1.7 and earlier allows remote attacke… |
CVE-2016-0775 | Medium | 6.5 | 2016-04-13 | Buffer overflow in the ImagingFliDecode function in libImaging/FliDecode.c in Pillow before 3.1.1 allows remote attackers to cause a denial of service (crash)… |
CVE-2016-0740 | Medium | 6.5 | 2016-04-13 | Buffer overflow in the ImagingLibTiffDecode function in libImaging/TiffDecode.c in Pillow before 3.1.1 allows remote attackers to overwrite memory via a crafte… |
CVE-2026-42310 | Medium | 5.5 | 2026-05-09 | Pillow is a Python imaging library. From version 4.2.0 to before version 12.2.0, an attacker can supply a malicious PDF that causes the process to hang indefin… |
CVE-2026-42309 | Medium | 5.5 | 2026-05-09 | Pillow is a Python imaging library. From version 11.2.1 to before version 12.2.0, passing nested lists as coordinates to APIs that accept coordinates such as I… |
CVE-2026-42308 | Medium | 5.5 | 2026-05-09 | Pillow is a Python imaging library. Prior to version 12.2.0, if a font advances for each glyph by an exceeding large amount, when Pillow keeps track of the cur… |
CVE-2016-3076 | Medium | 5.5 | 2017-04-24 | Heap-based buffer overflow in the j2k_encode_entry function in Pillow 2.5.0 through 3.1.1 allows remote attackers to cause a denial of service (memory corrupti… |
CVE-2016-9189 | Medium | 5.5 | 2016-11-04 | Pillow before 3.3.2 allows context-dependent attackers to obtain sensitive information by using the "crafted image file" approach, related to an "Integer Overf… |
CVE-2014-3598 | | 2015-05-01 | The Jpeg2KImagePlugin plugin in Pillow before 2.5.3 allows remote attackers to cause a denial of service via a crafted image. | |
CVE-2014-9601 | | 2015-01-16 | Pillow before 2.7.0 allows remote attackers to cause a denial of service via a compressed text chunk in a PNG image that has a large size when it is decompress… | |
CVE-2014-3589 | | 2014-08-25 | PIL/IcnsImagePlugin.py in Python Imaging Library (PIL) and Pillow before 2.3.2 and 2.5.x before 2.5.2 allows remote attackers to cause a denial of service via… | |
CVE-2014-3007 | | 2014-04-27 | Python Image Library (PIL) 1.1.7 and earlier and Pillow 2.3 might allow remote attackers to execute arbitrary commands via shell metacharacters in unspecified… | |
CVE-2014-1933 | | 2014-04-17 | The (1) JpegImagePlugin.py and (2) EpsImagePlugin.py scripts in Python Image Library (PIL) 1.1.7 and earlier and Pillow before 2.3.1 uses the names of temporar… | |
CVE-2014-1932 | | 2014-04-17 | The (1) load_djpeg function in JpegImagePlugin.py, (2) Ghostscript function in EpsImagePlugin.py, (3) load function in IptcImagePlugin.py, and (4) _copy functi… |