CVE-2026-40192 - High Severity Vulnerability
Vulnerable Library - pillow-11.3.0-cp39-cp39-manylinux_2_27_x86_64.manylinux_2_28_x86_64.whl
Python Imaging Library (Fork)
Library home page: https://files.pythonhosted.org/packages/a5/a0/98a3630f0b57f77bae67716562513d3032ae70414fcaf02750279c389a9e/pillow-11.3.0-cp39-cp39-manylinux_2_27_x86_64.manylinux_2_28_x86_64.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /tmp/ws-ua_20260502164659_VUTIMO/python_CPCFNF/202605021649131/env/lib/python3.9/site-packages/pillow-11.3.0.dist-info,/tmp/ws-ua_20260502164659_VUTIMO/python_CPCFNF/202605021649131/env/lib/python3.9/site-packages/pillow-11.3.0.dist-info
Dependency Hierarchy:
- matplotlib-3.9.4-cp310-cp310-macosx_10_12_x86_64.whl (Root Library)
- ❌ pillow-11.3.0-cp39-cp39-manylinux_2_27_x86_64.manylinux_2_28_x86_64.whl (Vulnerable Library)
Found in HEAD commit: 8dbdb4a1170502df116e35d16ab172d26c02609e
Found in base branch: main
Vulnerability Details
Pillow is a Python imaging library. Versions 10.3.0 through 12.1.1 did not limit the amount of GZIP-compressed data read when decoding a FITS image, making them vulnerable to decompression bomb attacks. A specially crafted FITS file could cause unbounded memory consumption, leading to denial of service (OOM crash or severe performance degradation). If users are unable to immediately upgrade, they should only open specific image formats, excluding FITS, as a workaround.
Publish Date: 2026-04-15
URL: CVE-2026-40192
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: https://github.com/python-pillow/Pillow/security/advisories/GHSA-whj4-6x5xc4v2j
Release Date: 2026-04-13
Fix Resolution: https://github.com/python-pillow/Pillow.git - 12.2.0
Step up your Open Source Security Game with Mend here
CVE-2026-40192 - High Severity Vulnerability
Python Imaging Library (Fork)
Library home page: https://files.pythonhosted.org/packages/a5/a0/98a3630f0b57f77bae67716562513d3032ae70414fcaf02750279c389a9e/pillow-11.3.0-cp39-cp39-manylinux_2_27_x86_64.manylinux_2_28_x86_64.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /tmp/ws-ua_20260502164659_VUTIMO/python_CPCFNF/202605021649131/env/lib/python3.9/site-packages/pillow-11.3.0.dist-info,/tmp/ws-ua_20260502164659_VUTIMO/python_CPCFNF/202605021649131/env/lib/python3.9/site-packages/pillow-11.3.0.dist-info
Dependency Hierarchy:
Found in HEAD commit: 8dbdb4a1170502df116e35d16ab172d26c02609e
Found in base branch: main
Pillow is a Python imaging library. Versions 10.3.0 through 12.1.1 did not limit the amount of GZIP-compressed data read when decoding a FITS image, making them vulnerable to decompression bomb attacks. A specially crafted FITS file could cause unbounded memory consumption, leading to denial of service (OOM crash or severe performance degradation). If users are unable to immediately upgrade, they should only open specific image formats, excluding FITS, as a workaround.
Publish Date: 2026-04-15
URL: CVE-2026-40192
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Type: Upgrade version
Origin: https://github.com/python-pillow/Pillow/security/advisories/GHSA-whj4-6x5xc4v2j
Release Date: 2026-04-13
Fix Resolution: https://github.com/python-pillow/Pillow.git - 12.2.0
Step up your Open Source Security Game with Mend here