CVE-2026-25990

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2026-25990
Pillow is a Python imaging library. From 10.3.0 to before 12.1.1, an out-of-bounds write may be triggered when loading a specially crafted PSD image. This vulnerability is fixed in 12.1.1.

7.5 /10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References
Link Resource
https://github.com/python-pillow/Pillow/commit/9000313cc5d4a31bdcdd6d7f0781101abab553aa Patch
https://github.com/python-pillow/Pillow/security/advisories/GHSA-cfh3-3jmp-rvhc Vendor Advisory
http://www.openwall.com/lists/oss-security/2026/02/12/1 Mailing List Patch Third Party Advisory
Configurations

Configuration 1 (hide)

cpe:2.3:a:python:pillow:*:*:*:*:*:*:*:*
History

30 Apr 2026, 21:16

Type Values Removed Values Added
Summary
  • (es) Pillow es una librería de procesamiento de imágenes de Python. Desde la versión 10.3.0 hasta antes de la 12.1.1, una escritura fuera de límites puede ser activada al cargar una imagen PSD especialmente manipulada. Esta vulnerabilidad está corregida en la versión 12.1.1.
Summary (en) Pillow is a Python imaging library. From 10.3.0 to before 12.1.1, n out-of-bounds write may be triggered when loading a specially crafted PSD image. This vulnerability is fixed in 12.1.1. (en) Pillow is a Python imaging library. From 10.3.0 to before 12.1.1, an out-of-bounds write may be triggered when loading a specially crafted PSD image. This vulnerability is fixed in 12.1.1.

13 Feb 2026, 21:32

Type Values Removed Values Added
CVSS v2 : unknown
v3 : unknown 		v2 : unknown
v3 : 7.5
References () https://github.com/python-pillow/Pillow/commit/9000313cc5d4a31bdcdd6d7f0781101abab553aa - () https://github.com/python-pillow/Pillow/commit/9000313cc5d4a31bdcdd6d7f0781101abab553aa - Patch
References () https://github.com/python-pillow/Pillow/security/advisories/GHSA-cfh3-3jmp-rvhc - () https://github.com/python-pillow/Pillow/security/advisories/GHSA-cfh3-3jmp-rvhc - Vendor Advisory
References () http://www.openwall.com/lists/oss-security/2026/02/12/1 - () http://www.openwall.com/lists/oss-security/2026/02/12/1 - Mailing List, Patch, Third Party Advisory
First Time Python
Python pillow
CPE cpe:2.3:a:python:pillow:*:*:*:*:*:*:*:*

12 Feb 2026, 05:17

Type Values Removed Values Added
References
  • () http://www.openwall.com/lists/oss-security/2026/02/12/1 -

11 Feb 2026, 21:16

Type Values Removed Values Added
New CVE
Information

Published : 2026-02-11 21:16

Updated : 2026-04-30 21:16

NVD link : CVE-2026-25990

Mitre link : CVE-2026-25990

CVE.ORG link : CVE-2026-25990

JSON object : View

Products Affected

python

  • pillow
CWE
CWE-787

Out-of-bounds Write