MIT-CMU
All Versions
Vulnerabilities (Public)
Known vulnerabilities and security issues detected in the extension's dependencies and code.
| Vulnerability ID | Advisory | Affected Versions | |||
|---|---|---|---|---|---|
| CVE-2026-42311 | Affected versions of the pillow package are vulnerable to Out-of-bounds Write due to an integer overflow in PSD tile extent bounds checks that allow attacker-controlled tile dimensions to bypass valid… | High | – | – | >=10.3.0,<12.2.0 |
| CVE-2026-40192 | Affected versions of the pillow package are vulnerable to Denial of Service due to unrestricted GZIP-compressed data consumption during FITS image decoding. The FITS image plugin does not limit the am… | High | – | – | >=10.3.0,<12.2.0 |
| CVE-2026-25990 | Affected versions of the Pillow package are vulnerable to an Out-of-bounds Write issue due to insufficient validation of tile extents when decoding PSD image data. When Image.open() loads a PSD and th… | High | – | – | >=10.3.0,<12.1.1 |
| CVE-2023-50447 | Pillow is affected by an arbitrary code execution vulnerability. If an attacker has control over the keys passed to the environment argument of PIL.ImageMath.eval(), they may be able to execute arbitr… | High | – | – | <10.2.0 |
| CVE-2023-44271 | Pillow 10.0.0 includes a fix for CVE-2023-44271: Denial of Service that uncontrollably allocates memory to process a given task, potentially causing a service to crash by having it run out of memory. … | High | – | – | <10.0.0 |
| CVE-2026-42308 | Affected versions of the pillow package are vulnerable to Integer Overflow due to unchecked accumulation of glyph advance values while tracking the current rendering position during font processing. W… | Medium | – | – | <12.2.0 |
| CVE-2026-42309 | Affected versions of the pillow package are vulnerable to a heap-based buffer overflow due to insufficient validation of coordinate input passed to drawing APIs. Passing nested lists as coordinates to… | Medium | – | – | >=11.2.1,<12.2.0 |
| CVE-2026-42310 | Affected versions of the pillow package are vulnerable to Denial of Service due to an unbounded loop when traversing PDF cross-reference trailer chains without cycle detection. The PdfParser module fo… | Medium | – | – | >=4.2.0,<12.2.0 |
| CVE-2025-48379 | Affected versions of this package are vulnerable to a Buffer Overflow when saving sufficiently large compressed DDS images (>64KB with default settings). The DDS encoding functionality fails to perfor… | Medium | – | – | >=11.2.1,<11.3.0 |
| CVE-2024-28219 | Pillow 10.3.0 introduces a security update addressing CVE-2024-28219 by replacing certain functions with strncpy to prevent buffer overflow issues. | Medium | – | – | <10.3.0 |
Page 1
Safety Discovered Vulnerabilities
Additional security issues found by Safety, exclusive to our platform.