CVE-2026-25990 - High Severity Vulnerability
Vulnerable Library - pillow-11.3.0-cp39-cp39-manylinux_2_27_x86_64.manylinux_2_28_x86_64.whl
Python Imaging Library (Fork)
Library home page: https://files.pythonhosted.org/packages/a5/a0/98a3630f0b57f77bae67716562513d3032ae70414fcaf02750279c389a9e/pillow-11.3.0-cp39-cp39-manylinux_2_27_x86_64.manylinux_2_28_x86_64.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /tmp/ws-ua_20260502164659_VUTIMO/python_CPCFNF/202605021649131/env/lib/python3.9/site-packages/pillow-11.3.0.dist-info,/tmp/ws-ua_20260502164659_VUTIMO/python_CPCFNF/202605021649131/env/lib/python3.9/site-packages/pillow-11.3.0.dist-info
Dependency Hierarchy:
- matplotlib-3.9.4-cp310-cp310-macosx_10_12_x86_64.whl (Root Library)
- ❌ pillow-11.3.0-cp39-cp39-manylinux_2_27_x86_64.manylinux_2_28_x86_64.whl (Vulnerable Library)
Found in HEAD commit: 8dbdb4a1170502df116e35d16ab172d26c02609e
Found in base branch: main
Vulnerability Details
Pillow is a Python imaging library. From 10.3.0 to before 12.1.1, an out-of-bounds write may be triggered when loading a specially crafted PSD image. This vulnerability is fixed in 12.1.1.
Publish Date: 2026-02-11
URL: CVE-2026-25990
CVSS 3 Score Details (8.4)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-cfh3-3jmp-rvhc
Release Date: 2026-02-11
Fix Resolution (pillow): 12.1.1
Direct dependency fix Resolution (matplotlib): 3.10.0
Step up your Open Source Security Game with Mend here
CVE-2026-25990 - High Severity Vulnerability
Python Imaging Library (Fork)
Library home page: https://files.pythonhosted.org/packages/a5/a0/98a3630f0b57f77bae67716562513d3032ae70414fcaf02750279c389a9e/pillow-11.3.0-cp39-cp39-manylinux_2_27_x86_64.manylinux_2_28_x86_64.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /tmp/ws-ua_20260502164659_VUTIMO/python_CPCFNF/202605021649131/env/lib/python3.9/site-packages/pillow-11.3.0.dist-info,/tmp/ws-ua_20260502164659_VUTIMO/python_CPCFNF/202605021649131/env/lib/python3.9/site-packages/pillow-11.3.0.dist-info
Dependency Hierarchy:
Found in HEAD commit: 8dbdb4a1170502df116e35d16ab172d26c02609e
Found in base branch: main
Pillow is a Python imaging library. From 10.3.0 to before 12.1.1, an out-of-bounds write may be triggered when loading a specially crafted PSD image. This vulnerability is fixed in 12.1.1.
Publish Date: 2026-02-11
URL: CVE-2026-25990
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.Type: Upgrade version
Origin: GHSA-cfh3-3jmp-rvhc
Release Date: 2026-02-11
Fix Resolution (pillow): 12.1.1
Direct dependency fix Resolution (matplotlib): 3.10.0
Step up your Open Source Security Game with Mend here