CVE-2026-25990 (Critical) detected in pillow-11.3.0-cp39-cp39-manylinux_2_27_x86_64.manylinux_2_28_x86_64.whlΒ #3366
Description
CVE-2026-25990 - Critical Severity Vulnerability
Vulnerable Library - pillow-11.3.0-cp39-cp39-manylinux_2_27_x86_64.manylinux_2_28_x86_64.whl
Python Imaging Library (Fork)
Path to dependency file: /charts/requirements.txt
Path to vulnerable library: /tmp/ws-ua_20260228001532_SEWSTS/python_HCPZPL/202602280017481/env/lib/python3.9/site-packages/pillow-11.3.0.dist-info,/tmp/ws-ua_20260228001532_SEWSTS/python_HCPZPL/202602280017481/env/lib/python3.9/site-packages/pillow-11.3.0.dist-info
Dependency Hierarchy:
- matplotlib-3.9.4-cp310-cp310-macosx_10_12_x86_64.whl (Root Library)
- β pillow-11.3.0-cp39-cp39-manylinux_2_27_x86_64.manylinux_2_28_x86_64.whl (Vulnerable Library)
Found in HEAD commit: 8dbdb4a1170502df116e35d16ab172d26c02609e
Found in base branch: main
Vulnerability Details
Pillow is a Python imaging library. From 10.3.0 to before 12.1.1, n out-of-bounds write may be triggered when loading a specially crafted PSD image. This vulnerability is fixed in 12.1.1.
Publish Date: 2026-02-11
URL: CVE-2026-25990
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: GHSA-cfh3-3jmp-rvhc
Release Date: 2026-02-11
Fix Resolution (pillow): 12.1.1
Direct dependency fix Resolution (matplotlib): 3.10.0
Step up your Open Source Security Game with Mend here